From the Sparkbox Foundry D A Y T O N

It seems like every couple of months now there is a story about somebody stealing credentials or hacking crypto wallets through some dependency of a dependency of a dependency of a...

I started talking about this with my friend and co-worker Adam the other day, and the problem seems daunting. There are so many projects on NPM that we rely on to build software. Writing everything we need from scratch feels overwhelming and a waste of time. Open Source software exists for this very reason. Maybe the answer is reading through the source code of everything that we use, but even this doesn't solve the problem. I'm writing this post in raw HTML because I didn't want to read 1600+ lines of code so that I could use a markdown library.

I had just started the process of rebuilding this site. So, as an experiment I decided to put some restrictions on the external dependencies that I have. Any dependency must fulfill one of the following

The client side of things has been very easy so far. There's just no JavaScript (for now). The server side is a little more complicated. What about things like Handlebars, Express, Babel, etc.? I feel like I trust them, but what about their dependencies? And their dependencies dependencies? I installed 10 packages for SASS, deploying, etc. 10. My `node_modules` folder has 425 individual packages installed! There's no way I'm going to read all of that code.

Maybe the answer is to maintain a list of approved modules for doing common tasks. But this would mean that someone has to create and update this list. Let's face it - we're busy, and this feels hard. It also feels like it's just wrapping a problem up in a lot of red tape.

I wish I had a good answer for this problem. Surprise! I don't. At some point, our community is going to have to come up with something that will address these issues. It may be hard. It will probably be painful. But at some point, we have to come up with a solution that gives us more confidence when installing third party code.

Until then, I guess I'll run npm audit, look at who's maintaining the code I'm using, and 🤞🏻.


< Home