It seems like every couple of months now there is a story about somebody stealing credentials or hacking crypto wallets through some dependency of a dependency of a dependency of a...
I started talking about this with my friend and co-worker Adam the other day, and the problem seems daunting. There are so many projects on NPM that we rely on to build software. Writing everything we need from scratch feels overwhelming and a waste of time. Open Source software exists for this very reason. Maybe the answer is reading through the source code of everything that we use, but even this doesn't solve the problem. I'm writing this post in raw HTML because I didn't want to read 1600+ lines of code so that I could use a markdown library.
I had just started the process of rebuilding this site. So, as an experiment I decided to put some restrictions on the external dependencies that I have. Any dependency must fulfill one of the following
- Only use code from trusted sources (this feels a little fuzzy)
- Read all of the source code
- Write my own version
Maybe the answer is to maintain a list of approved modules for doing common tasks. But this would mean that someone has to create and update this list. Let's face it - we're busy, and this feels hard. It also feels like it's just wrapping a problem up in a lot of red tape.
I wish I had a good answer for this problem. Surprise! I don't. At some point, our community is going to have to come up with something that will address these issues. It may be hard. It will probably be painful. But at some point, we have to come up with a solution that gives us more confidence when installing third party code.
Until then, I guess I'll run
npm audit, look at who's maintaining the code I'm using, and 🤞🏻.