Mastodawn

So I guess I have some learning to do about this recent supply chain attack and npm stuff 👀

No recent project I'm working on has Axios as a dependency, these in the screenshot are old. But it's time I understood a bit more on how to stay safe. Open to any wisdom!

Found this article regarding the incident

https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/

So from the sounds of it, had I been doing an npm install within that two hour window I could have been affected? just like that? That's scary.

Show thread

Amadeus Maximilian 1d ago

@hejchristian Yeah, and the biggest issue are transitive dependencies. Just because you didn’t install Axios explicitly, doesn’t mean another package you installed couldn’t have it in its dependencies. So you might be screwed without even knowing it. 😅

The fewer dependencies, the better. A lot of what many packages do can be done rather trivially by yourself or using modern APIs (like Fetch in this case).

If you can, you could also use the --no-scripts flag, however that might not always work.

Show thread

Amadeus Maximilian 1d ago

@hejchristian Dang it, it’s actually the --ignore-scripts flag, but the previous post doesn’t have enough space for the extra characters, so I can’t edit it.

Anyway, with room to elaborate: there’s deps that rely on scripts running pre or post installation. So ignoring them doesn’t always work. What I try to do is keep myself informed about the supply chain attacks and doing due dilligence when choosing deps in the first place, ie ensuring they have as few dependencies as possible of their own.

Show thread

Christian Alder

@amxmln Maybe I should be doing a quick search for any recent supply chain attacks too, right before I run an npm install on my local machine to start a dev session 😅 Just to check the coast is clear lol