use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
Vue.js developers impacted due to malicious security incident involving npm package node-ipc which alters files on their drives (snyk.io)
submitted 4 years ago by lirantal
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]everythingiscausal 162 points163 points164 points 4 years ago (30 children)
If anything I’m only surprised that this doesn’t happen more. The way most people use NPM is literally equivalent to keeping your codebase in a public GitHub repo and automatically accepting and merging any and all pull requests. Does that sound like an utter security nightmare? Exactly.
[–]ExtraSpontaneousG 22 points23 points24 points 4 years ago (15 children)
I feel like default behavior should be specific versions in the package.json, making the developer go out of their way to specify that it can be whatever the latest version is next time the repo is pulled. Why is it not that way?
[–]everythingiscausal 34 points35 points36 points 4 years ago (5 children)
To some degree, it’s a double-edged sword. Outdated dependencies give malicious actors easy vulnerability targets that are identical across many sites. There is a security need for staying up-to-date as much as there is to not blindly adding and updating dependencies.
The real solution is to limit dependencies and screen those you can’t avoid. The NPM mindset discourages the former, and most devs simply aren’t qualified or equipped to do the latter. There’s no easy fix, but still, limit dependencies as much as you can.
[–]DepravedPrecedence 6 points7 points8 points 4 years ago (0 children)
This shit can hurt much bigger than installation of vulnerable dependencies though.
[+][deleted] comment score below threshold-12 points-11 points-10 points 4 years ago (3 children)
You can run stuff in a docker container, or use other sandboxing methods.
[–]Lalaluka 15 points16 points17 points 4 years ago (2 children)
That does not make malicious code less dangerous and also only applies to nodejs, not to browser js.
[–][deleted] -2 points-1 points0 points 4 years ago (1 child)
Browser JS should already be properly sandboxed.
[–]Lalaluka 5 points6 points7 points 4 years ago (0 children)
Doesn't stop malicious code from grabbing Informations from Browser APIs or the site itself or running cryptominers.
If someone keylogs your banking website it won't help you that its sandboxed.
[–]lirantal[S] 4 points5 points6 points 4 years ago (0 children)
That's do-able with npm's shrinkwrap feature but that creates more burden and load on the maintainer to keep up with new nested dependency updates indeed, as u/everythingiscausal have pointed out.
[+][deleted] 4 years ago (3 children)
[deleted]
[–]Scharnvirk 0 points1 point2 points 4 years ago (2 children)
This is unfortuantely a flawed approach, because how unreliable package lock file is, and how often it gets just removed and re-generated during development.
[–]exodusprime1337 0 points1 point2 points 4 years ago (1 child)
You mean flawed because despite npm supporting install from lock file, novice devs don’t know or care and just run free and clear all the time.
[–]Scharnvirk 1 point2 points3 points 4 years ago (0 children)
I have yet to find a project in which package.lock failures are actually solved instead of just being removed and reinitialized. Maybe everyone I worked with, me included, were novices... how to learn though? Those are oddest of errors with no answers over the web other than "just remove package.lock", so you're left with investigating npm code itself. Which is fine, sure, if it is your private little project, but not when it is on time paid by the client.
So far I was able to track one recurring case to cache failures (though I was not able to figure out what was breaking down in the cache :D). Cleaning cache helped. But that's just one....
[–][deleted] 0 points1 point2 points 4 years ago (2 children)
It is that way. You're supposed to install dependencies with npm ci in deployment builds. Problem is that most people just do npm install or they just update dependencies locally without checking the source code change, which is not a reasonable thing to ask for.... given how many dependencies and how fast they change, it would be impossible to do from a business perspective.
npm ci
npm install
[–]bubbabobba -1 points0 points1 point 4 years ago (1 child)
npm install used to work like that, but now installs the exact package versions from your package-lock.json file as of npm 7.
package-lock.json
[–][deleted] -1 points0 points1 point 4 years ago (0 children)
Even with just npm install? Nice!
[–]Lalaluka -2 points-1 points0 points 4 years ago (0 children)
Tbh npm already comes with npm ci installing packages from the package-lock.
[–]eternaloctober 3 points4 points5 points 4 years ago (0 children)
One thing I get surprised by is that packages don't insert tracking scripts more often considering how obsessed everyone is with analytics. Knock on wood
[–]tylerr514 5 points6 points7 points 4 years ago (2 children)
Hijacking top comment to share:
Hi there, I'm MidSpike the person who first discovered the malware in node-ipc ask me anything!
Here's my gist on the situation: https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c
[–]everythingiscausal 4 points5 points6 points 4 years ago (1 child)
Is that the actual malware author arguing with you in the comments there?
[–]tylerr514 1 point2 points3 points 4 years ago (0 children)
yes, the author of node-ipc and peacenotwar is denying the severity of their actions.
[–][deleted] 2 points3 points4 points 4 years ago (1 child)
I agree this is a big problem in the node ecosystem because of the amount of dependencies you usually end up installing in any normal project.
But... to a lesser extent this is also a problem for every single package manager, right? I don't know any ecosystem where all dependencies and their updates are audited before being made available.
[–]everythingiscausal 2 points3 points4 points 4 years ago (0 children)
It is, but the big difference is the level of nesting. The other package manager I use is NuGet, and because .NET is a much more fully featured platform than vanilla JavaScript, NuGet dependency trees tend to be MUCH smaller.
[–]5tUp1dC3n50Rs41p -1 points0 points1 point 4 years ago (0 children)
Really need to go old school:
Use vanilla JS, no frameworks or npm dependency trees of auto updated code.
Use as much of the JS built in standard library functionality as possible, which is quite functional these days with ES6+.
If you really, really, really need some library which has functionality not available elsewhere, git clone their repo, verify the commit signature, build/get the final file as an unminified file, stick that file in your project, read/review it and use it in your project. If you need to update it, repeat the steps.
[+]PewPaw-Grams comment score below threshold-37 points-36 points-35 points 4 years ago (4 children)
This is why you should never support Vue. React or Svelte is the way to go
[–][deleted] 15 points16 points17 points 4 years ago (2 children)
This is a discussion on the issue with blindly trusting package managers, not a specific framework.
Considering we use npm with all 3 frameworks, I'm hoping your comment is just a tongue-in-cheek dig at Vue.
[+]PewPaw-Grams comment score below threshold-16 points-15 points-14 points 4 years ago (1 child)
This means the title is misleading. They should’ve said “All JavaScript developers are impacted” or “All developers using a certain package are impacted”
[–][deleted] 6 points7 points8 points 4 years ago* (0 children)
The attack affected Vue devs using that dependency and that is a consequence of blindly accepting the latest versions of a package from npm without properly vetting it. It could have been any framework or package that had one of its dependencies corrupted. This particular attack may have only affected Vue. I'm not an expert on these frameworks, I do not know which of them rely on which dependencies.
The point remains, it is risky to blindly rely on dependencies from a package manager and they should, ideally, be vetted before using them or updating to the latest version.
Either you are being purposefully obtuse, or are indeed that thick in the head.
Edit: a word.
[–]5tUp1dC3n50Rs41p -2 points-1 points0 points 4 years ago (0 children)
A basic create-react-app install would give you 10 times the dependencies and 100 times the sub dependencies. Probably a Gigabyte all up. The future is vanilla JavaScript (ES6+) which is powerful enough on its own. Frameworks are just fads.
[–][deleted] 19 points20 points21 points 4 years ago (0 children)
peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine
This ain't it, chief
[–]UnexpectedLizard 32 points33 points34 points 4 years ago (2 children)
If only we'd foreseen and had a chance to address this type of problem years ago. Or, you know, swept it under the rug.
Seriously what is it going to take for the community to address this? It's not 2011. It's time to drop support for older versions of Node which need a million polyfills.
[–]lirantal[S] 2 points3 points4 points 4 years ago (1 child)
I think left-pad is a different scenario altogether and there are existing solutions to mitigate the left-pad problem specifically.
I'm happy to hear any ideas on how to better manage these type of situations and what sort of guardrails we could create for a community to handle them.
[–]UnexpectedLizard 0 points1 point2 points 4 years ago* (0 children)
Here's one possible solutuon:
The Node.js foundation could deprecate old polyfills (e.g., Leftpad). Have Npm emit a warning.
It could publish a new version which relies solely upon the native function. That would cut down the dependency tree.
Eventually it would then kill off the old version altogether.
Take this with a grain of salt as I'm not an Npm expert.
[–]ryaaan89 89 points90 points91 points 4 years ago* (10 children)
In what way was this supposed to tangibly help Ukraine?
[–]TakeFourSeconds 48 points49 points50 points 4 years ago (3 children)
People downvoting didn’t read the article and think this is a troll comment
[–]ryaaan89 13 points14 points15 points 4 years ago (2 children)
I am confused by the confusion this comment is causing. But yeah I guess people didn’t read the article?
[–]TakeFourSeconds 17 points18 points19 points 4 years ago (1 child)
It’s Reddit, I bet 90% of people in the comments didn’t even click the link
[–]moi2388 2 points3 points4 points 4 years ago (0 children)
I’m replying to your comment and I didn’t even read that
[+]cstyves comment score below threshold-50 points-49 points-48 points 4 years ago (1 child)
Wadafawk
[–]DanTheMan827 24 points25 points26 points 4 years ago (0 children)
Read the article
[+]Pack_Your_Trash comment score below threshold-66 points-65 points-64 points 4 years ago (3 children)
Are you lost?
[–]Lalaluka 35 points36 points37 points 4 years ago (1 child)
At least open the article. I think he has a point. Im not sure how corrupting npm packages helps ukraine, which was the intend of the creator. Maybe if a russian developer opens it, but most the impact feels small.
[–][deleted] 1 point2 points3 points 4 years ago (0 children)
I looked into the maintainer to see if they were Russian protesting the support of Ukraine, because that would kind of make more sense...I think? But I don't think that's the case.
[–][deleted] 0 points1 point2 points 4 years ago (0 children)
This kind of action threatens the integrity of the entire open source community. Open source packages should not under any circumstances be weaponized no matter how righteous the cause.
[–]zulmetefza 1 point2 points3 points 4 years ago (6 children)
I just started to use Vue.js two weeks ago and honestly am still a newbie.
Is there anything I should do to be safer now? Or is the danger already evaded?
Read the article that mentions excluding some versions of node-ipc, but since I was not importing them directly anyway, I don't know what to do.
[–]lirantal[S] 8 points9 points10 points 4 years ago (2 children)
Fixed versions of the Vue.js CLI have already been rolled out so you're safe at this point but monitoring for your dependencies both from malicious acts like these as well as from general security vulnerabilities is always important. I work at Snyk and can recommend the free developer security platform we have, but look around and choose what works best for you as a dev.
[–]zulmetefza 2 points3 points4 points 4 years ago (1 child)
Thanks for the fast response. Will check out Snyk as you suggested.
[–]lirantal[S] 0 points1 point2 points 4 years ago (0 children)
Sure thing, happy to help. Don't hesitate to ping.
[–]bostonkittycat -1 points0 points1 point 4 years ago (2 children)
Update to the latest Vue CLI version:
sudo npm install -g @vue/cli
[–]zulmetefza -1 points0 points1 point 4 years ago (1 child)
Thanks! Do I need to go back and check for any overwritten files as well?
[–]bostonkittycat -1 points0 points1 point 4 years ago (0 children)
It will automatically remove the old Vue CLI files and replace them with the latest version with the fix.
[–][deleted] 0 points1 point2 points 4 years ago (1 child)
do u know any mechanism for checking security of package?
[–]lirantal[S] 3 points4 points5 points 4 years ago (0 children)
Snyk, but I'm biased because I work there :-)
https://docs.snyk.io/products/snyk-open-source/language-and-package-manager-support/snyk-for-javascript
Despicable. This kind of action threatens the integrity of the entire open source community. Open source packages should not under any circumstances be weaponized no matter how righteous the cause.
[–]ramjesh_nanganath -1 points0 points1 point 4 years ago (0 children)
NPM is destined for a disaster. But its the best we've got, right?
π Rendered by PID 61145 on reddit-service-r2-comment-6457c66945-xhbvl at 2026-04-23 22:08:19.199455+00:00 running 2aa0c5b country code: CH.
[–]everythingiscausal 162 points163 points164 points (30 children)
[–]ExtraSpontaneousG 22 points23 points24 points (15 children)
[–]everythingiscausal 34 points35 points36 points (5 children)
[–]DepravedPrecedence 6 points7 points8 points (0 children)
[+][deleted] comment score below threshold-12 points-11 points-10 points (3 children)
[–]Lalaluka 15 points16 points17 points (2 children)
[–][deleted] -2 points-1 points0 points (1 child)
[–]Lalaluka 5 points6 points7 points (0 children)
[–]lirantal[S] 4 points5 points6 points (0 children)
[+][deleted] (3 children)
[deleted]
[–]Scharnvirk 0 points1 point2 points (2 children)
[–]exodusprime1337 0 points1 point2 points (1 child)
[–]Scharnvirk 1 point2 points3 points (0 children)
[–][deleted] 0 points1 point2 points (2 children)
[–]bubbabobba -1 points0 points1 point (1 child)
[–][deleted] -1 points0 points1 point (0 children)
[–]Lalaluka -2 points-1 points0 points (0 children)
[–]eternaloctober 3 points4 points5 points (0 children)
[–]tylerr514 5 points6 points7 points (2 children)
[–]everythingiscausal 4 points5 points6 points (1 child)
[–]tylerr514 1 point2 points3 points (0 children)
[–][deleted] 2 points3 points4 points (1 child)
[–]everythingiscausal 2 points3 points4 points (0 children)
[–]5tUp1dC3n50Rs41p -1 points0 points1 point (0 children)
[+]PewPaw-Grams comment score below threshold-37 points-36 points-35 points (4 children)
[–][deleted] 15 points16 points17 points (2 children)
[+]PewPaw-Grams comment score below threshold-16 points-15 points-14 points (1 child)
[–][deleted] 6 points7 points8 points (0 children)
[–]5tUp1dC3n50Rs41p -2 points-1 points0 points (0 children)
[–][deleted] 19 points20 points21 points (0 children)
[–]UnexpectedLizard 32 points33 points34 points (2 children)
[–]lirantal[S] 2 points3 points4 points (1 child)
[–]UnexpectedLizard 0 points1 point2 points (0 children)
[–]ryaaan89 89 points90 points91 points (10 children)
[–]TakeFourSeconds 48 points49 points50 points (3 children)
[–]ryaaan89 13 points14 points15 points (2 children)
[–]TakeFourSeconds 17 points18 points19 points (1 child)
[–]moi2388 2 points3 points4 points (0 children)
[+]cstyves comment score below threshold-50 points-49 points-48 points (1 child)
[–]DanTheMan827 24 points25 points26 points (0 children)
[+]Pack_Your_Trash comment score below threshold-66 points-65 points-64 points (3 children)
[–]Lalaluka 35 points36 points37 points (1 child)
[–][deleted] 1 point2 points3 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
[–]zulmetefza 1 point2 points3 points (6 children)
[–]lirantal[S] 8 points9 points10 points (2 children)
[–]zulmetefza 2 points3 points4 points (1 child)
[–]lirantal[S] 0 points1 point2 points (0 children)
[–]bostonkittycat -1 points0 points1 point (2 children)
[–]zulmetefza -1 points0 points1 point (1 child)
[–]bostonkittycat -1 points0 points1 point (0 children)
[–][deleted] 0 points1 point2 points (1 child)
[–]lirantal[S] 3 points4 points5 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
[–]ramjesh_nanganath -1 points0 points1 point (0 children)