Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How one yanked JavaScript package wreaked havoc

Serdar Yegulalp | March 23, 2016
When a developer 'unpublished' his work from the NPM JavaScript package registry, it broke dependencies for many other projects -- and highlighted the fragility of the open source ecosystem

Picking up the pieces

At least one project exists as an alternate way to perform package management for Node. The ied project proposes several changes intended to solve some of the issues described above. Packages are identified by their SHA-1 checksums, not merely by a package name, which guarantees that packages are unique and can't be confused with (or arbitrarily substituted for) each other. Semantic versioning is also supported, so a specific version of a package can be fetched.

Unfortunately, it isn't likely these improvements will find their way to a larger audience -- not so long as most Node.js and JavaScript developers continue to depend on NPM as their default.

The design of the early Internet assumed that trust exists between all parties, an assumption that was fine for a closed-ended, academic environment. But as the Internet went public, that assumption has turned into a time bomb, as criminal attackers learned to leverage obsolete protocols or exploit limitations in existing ones.

In the same way, many of the unquestioned assumptions about how NPM works -- and, more generally, how public software repositories work -- may have their biggest tests ahead of them.

Source: Infoworld 


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.