Worth mentioning that Bubblewrap[1] (bwrap) can remove most npm/node attack vectors or, at the very least, limit the damage from running arbitrary code during install/execution. Far from a silver bullet, and you'll want to combine it with a simple wrapper script to avoid dinking around with all its arguments, but it beats dealing with rootless Podman containers.
This looks really interesting, but it sounds like it's as complicated to setup as rootless Podman — which is to say not _that_ complicated. Anyone using this with Node or Deno successfully?
We made a script to avoid such situations. It checks the dependencies, just by parsing the package.json (or the lock file), checking the relevant time on npm registry, and returns error if it finds a too fresh package added.
We run it on CI for each commit/PR, and if a developer tries to commit a change that updates a JS dependency to a too recent it prevents the build from running, and so on. Basically we expect that a Supply Chain attacks on NPM would be noticed in a couple of week, and we enforce this time window to our code.
I don't know why you were downvoted. The actual page does not say SHA1, the attack as far as I know is not related to the SHA1 algorithm, and the name of the worm isn't intended as that sort of pun.
Ok, we've merged the (relevant) comments thither. Thanks!
Edit: Here's a bit of explanation for those curious. Even though the links are different, the test we use for whether to merge threads is whether they are substantially the same story vs. whether the two links will lead to substantially different discussion. In this case it's clear that it's the same discussion, so I merged them.
Since the second link has additional information, I've added it to the toptext of the original post. That way people can look at both.
[1] https://github.com/containers/bubblewrap
reply