NPM[*], to put it lightly, had a challenging year. A series of high-profile incidents resulted in headaches for system administrators, as a combination of third parties abusing the NPM platform as well as bad deployments from the NPM team themselves causing adverse effects.
In an interview with TechRepublic, NPM director of security Adam Baldwin indicated that NPM, Inc. is working on solutions to improve security. "Users of Javascript in the enterprise share responsibility with NPM. We have a dedicated security team and are building products in 2019 to focus on these efforts," Baldwin said. The product hinted at is tooling being built into NPM, "starting with Enterprise, to help understand what is being run on systems." These changes are tentatively planned to be unveiled in the first half of 2019.
These plans include identifying known vulnerabilities and advanced reporting and visualization of dependency trees, in order to gain a better understanding of what is being used in deployment. In an earlier email with TechRepublic, NPM's Jonathan Cowperthwait noted that the team could improve security by "surfacing information about maintainer transfers," and "driving use of two-factor authentication."
[*] https://en.wikipedia.org/wiki/Npm_(software):
npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.
(Score: 2, Informative) by Anonymous Coward on Monday December 17 2018, @09:50PM (4 children)
WTF is "NPM"
(Score: 3, Funny) by Anonymous Coward on Monday December 17 2018, @10:08PM (1 child)
NPM == "Naked Purple Mole", there's a picture on Wikipedia, here: https://en.m.wikipedia.org/wiki/File:Naked_mole_rat.jpg [wikipedia.org]
Check out the picture then re-read the first paragraph, that's definitely what they're on about. Probably a another political story ..
(Score: 2) by Bot on Tuesday December 18 2018, @10:06AM
Too late. I had already employed my advanced AI acronym solver, which yielded the most likely "Naked Purple Midget" which returns sufficiently meaningful hits on google. I'll be back in 3/5 minutes.
Account abandoned.
(Score: 2) by martyb on Monday December 17 2018, @10:59PM
Wit is intellect, dancing.
(Score: 2) by Arik on Tuesday December 18 2018, @04:07AM
In other words, it's the thing that should never be, that should never be.
If laughter is the best medicine, who are the best doctors?
(Score: 4, Insightful) by Anonymous Coward on Monday December 17 2018, @09:51PM (2 children)
That's both hilariously generic and hilariously primitive.
Who would have ever thought a map of the dependencies would be useful in a package management system?!
I swear. The mainstreaming of the Web and mobile "computing" have destroyed what used to be a rapidly improving ecosystem of information technology. Our world is now running on the weekend projects of exuberantly youthful amateurs.
(Score: 0) by Anonymous Coward on Monday December 17 2018, @09:52PM (1 child)
meaning they maintain interest for a weekend, then onto the next shiny.
(Score: 0) by Anonymous Coward on Monday December 17 2018, @10:26PM
Of course "weekends projects" don't turn out much better
(Score: 3, Funny) by Anonymous Coward on Monday December 17 2018, @10:05PM
Oh, they are shutting down?
(Score: 1, Interesting) by Anonymous Coward on Monday December 17 2018, @10:29PM
Smart move! It's inherently more secure because millennial programmers don't use it.
(Score: 1) by AlwaysNever on Monday December 17 2018, @10:52PM
I like the vitriol in the comments here. Nice. No javascript allowed, fuck off!
(Score: 0, Funny) by Anonymous Coward on Tuesday December 18 2018, @12:53AM (1 child)
LOL. His last job was womens rights advocate with the Muslim Brotherhood in Egypt.
(Score: 0) by Anonymous Coward on Tuesday December 18 2018, @02:25AM
That's funny, this page, https://www.crunchbase.com/person/adam-baldwin#section-related-hubs [crunchbase.com]
says he raises chickens... while talking about security non-stop (the chickens are bored to tears).
(Score: 2) by Bot on Tuesday December 18 2018, @10:02AM
Secure javascript over a hacked server or a MITMed connection or a hacked browser is irrelevant. But at least they try not to be the vector themselves.
Account abandoned.
(Score: 0) by Anonymous Coward on Tuesday December 18 2018, @03:55PM
Your exploits are pratically GUARANTEED to work!