Andrey SitnikI started a new open source project:
Multiocular shows what’s changed in your node_modules after dependency updates.
Right now it just shows a diff, but I have many ideas.
It is part of my long-running fight against Supply Chain Attacks.
Of course, the logo for the collective dependency audit project has to be the most beautiful and insane Cyrillic letter, the Multiocular O
https://en.wikipedia.org/wiki/Cyrillic_O_variants#Multiocular_O
Over the past day I released several versions of Multiocular:
— Added support for viewing what changed in GitHub Actions when you update them
— Added support not only for my favourite pnpm, but also for npm, yarn 1, and yarn berry (bun support is welcome via PR)
Don’t get why you should worry about hacks from node_modules?
Just 2 days ago, nx (140M monthly downloads) was hacked via CI, stealing access keys from 1,300 users.
To bypass checks, the attackers even used the victim’s own LLM.
Miltiocular is written with TS. Instead of tsc we are using ts-blank-space to compile it, which just replace all types with spaces.
As the result, we don’t need to put source maps to npm package and it is easier to compare sources in node_modules with GitHub.
https://github.com/multiocular-com/multiocular/blob/main/scripts/build-server.ts
Since Multiocular is a tool for security I am trying to use all best practices there.
For instance, CI is doing npm release signing package to prove that npm package content came for sources on GitHub (npm provenance).
We are building npm package in separated CI job to reduce risk of compromised environment after running a lot of tools in `npm test` (of course, we disable postinstall script in dependencies).
Another job npm publish doesn’t install any dependencies.
We are adding extra isolation to CI by step-security/harden-runner.
It blocks sudo and allows us to define allow-list of network requests.
Right now I’m telling about the small stuff like CI because I am building the web UI.
How it will work:
1. Update deps (e.g., pnpm update or Dependabot)
2. Run npx multiocular locally or on CI to see what changed in node_modules
The idea is a fast UI to review node_modules changes so you can:
1. Prevent supply-chain attacks
2. Catch breaking changes
3. Learn from your dependencies code
4. Stop treating node_modules as a black box
First Multiocular design attempt.
I can’t do boring design even for simple utils.
Don’t worry, pixelated font will be used only for decorative elements. Diffs will use Martian Mono, of course.
Finished the first version of UI to review node_modules updates.
What do you think?
Just today chalk and other very popular npm packages by Sindre was compromised (via phishing email to his co-maintainer).
https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
Supply Chain Attack is every reality now. We should start talking about it more often.
If you install anything from npm today there are high chances that you installed malware package via some sub-dependency with ^.
Some packages right now are still available on npm. This attack is huge.
Run `grep -r "const _0x112" node_modules` in your projects.
Multiocular got a new diff view to simplify reviewing all dependencies changes.
Before/After:
Nikita Karamov@sitnik_en nice, a very welcome change!
What I would appreciate is if it would be possible to define a custom git diff command, or at least to ignore whitespace. I tried to use multilocular in a project of mine, but one of the dependencies enabled Prettier between their patch releases, and it's very cumbersome to verify :/
On a similar note, maybe it would also be possible to integrate it with difftastic?
@kytta I added space ignoring and releases 0.6.3
https://github.com/multiocular-com/multiocular/commit/d617e5f673fc09fcf5ce418616e579b2f68241b6
Custom diff is hard since we have a specific diff UI in web, which (as I know) has no integration with difftastic.
