Today's compromised npm package: only had the malicious code in the minified version.

We don't always think of JS as a compiled language, but reproducible/verifiable compilation would have helped here.

@wilfredh I tried to come up with a silver bullet solution, but it's tricky..
ideally every package usage would include a hash of the exact version it uses, then someone couldn't change the code under everyone's nose. But with this, it's not possible to easily release security patches...

@MightyPork Stupid question: why not? Surely you'd still push the relevant commits to your git repo?

@wilfredh yes, but people using it as a dependency of dependency or deeper will get it with a long delay, if at all

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!