I posted this on Mastodon, but I think it's also worth posting here about all the NPM hot takes Package managers won't go away, they're too useful. It's not like developers have ever listened to security people before now, this certainly won't make them start If we do want to "fix" the package repositories the question will be who is going to pay for this? Quite literally every package ecosystem on the planet is held together by thoughts and prayers. The resources needed to "do better" don't exist The most likely solution will be security people will complain, there will be loads of "the thing my company does can fix this problem (even if it can't)" and in a few weeks we will all pretend everything is fine
The typical pattern is that a single technical concept is believed to hold the key. For example: see the (still ongoing) rush to slap MFA into everything.. and yet still we have websites like bandcamp and leanpub that don't offer this in 2025 while retaining credit card details to enable fast purchasing, and other services that have poorly-configured and dangerous MFA. The concept that we naively believe to "solve" this is probably going to be some form of attestation. After all, we realized that boiling the ocean to catalogue and report on every vulnerability in every grain of sand doesn't solve the actual problem. We like hashes, though.. As for who will pay for it: the bulk of the work will probably be done by thankless open source maintainers, in the sense described here: https://zedshaw.com/blog/2022-02-05-the-beggar-barons/ But companies will pay for "it" in some form also, because there will be paid proprietary closed-source enterprise versions of whatever the dominant attestation approaches are.
You get what you pay for and business tends to get tunnlevision on free vs any kind of cost. The use of open-source and pkg managers is so ingrained , it's how 95% of developers are trained. Two up hill battles.
I respectfully disagree in the sense that Microsoft is a very well-resourced company, and they own NPM, so they could make security a priority. They choose not to, and that needs to be called out. Microsoft needs to be held accountable for its complete incompetence here.
If JavaScript had a better standard library the package manager attack surface would be smaller because you wouldn’t need an external dependency to pad a string. This mess is on the language designer (homophobe fascist Brendan Eich) as much as the npm team.
A product "Trust Registry" , following IETF SCITT concepts, would help restore Trust and prevent risky products from being downloaded.
No better way to get developers to listen than the undertones of "us versus them" (security people versus dev people) and binary categorization, no? Some developers make security tools too. At a personal level, I don't strictly see myself as one or the other (by identity, I think people would say my code isn't great enough to argue by my output lol). I do that specifically because the whiff of "us versus them, you them, you suck" gets picked up quickly.
I respectfully disagree with the statement that NPM/JS ecosystem is similar to every other package managers. There are package managers which are crafted to enforce minimum amount of dependencies, with proper cyclic dependency checks and there are other tech stacks & package managers like JS & NPM that lets developers to opt for readily available, fully-featured packages for convenience, even if only a small portion of their functionality is needed, without always considering the size implications. Just like we have memory-safe languages, we have software-supply-chain-safe languages and toolstacks (when was the last time we had something similar to this happened to go or rust?) I recommend typing "why npm dependencies are huge" to google and see what it tells you about the whole NPM and Javascript dependency mess.
Or god help us , they will come up with a secure unusable obscure package manager that requires a PhD in crypto to understand.
I am a broken record the past few days, but will repeat it again. The root problem for a lot of companies is that they don't know how to use package managers in the first place. No enterprise should be directly pulling packages from a public repo and injecting them into your build or using them on your developers laptops. NONE. This is a high risk activity, not just for cybersecurity reasons, but for simple product stability reasons... sucking down completely untested and unverified libraries into your product is crazy, and letting untested and unapproved third-party code execute on your developer machines is also crazy. This is why systems like Artifactory were created, so that companies can have *MIRRORS* and a *DEFINED PROCESS* to promote packages through a pipeline *ONLY AFTER* they have been vetted and tested, as well as approved by security. Anyone who was following this standard best practice, would be untouched by any of the recent NPM issues.
CEO @ Aquia | Chief Security Advisor @ Endor Labs | 2x Author | Veteran | Advisor
5dYep. Much like broader open source, everyone will continue to jump up in down in security about all the things that need to change to be secure, the majority of open source developers will continue to be apathetic, and everyone will continue to consume open source at scale but be unwilling to fund it. Rinse, repeat for the next major incident.