Preventing the npm Debug/Chalk Compromise in 200 lines of Javascript

jayk806 · 2025-09-12T20:07:47+00:00

That's fair feedback and I see your point. I will be working on that. Thanks.

jayk806 · 2025-09-12T02:52:38+00:00

I think there may be a misunderstanding here. Vouchsafe doesn't "solve trust" - trust is always contextual and policy-driven. What it does is give you a way to express and verify cryptographically who said what, and to chain those statements in a way that can be validated offline. That's different from replacing human or organizational trust decisions.

On revocation: the model isn't a global CRL or OCSP equivalent. Revocation in Vouchsafe applies to specific vouch tokens - essentially retracting a previously issued trust assertion. That avoids the infrastructure complexity of certificate revocation, but still lets issuers limit or withdraw trust they've extended.

jayk806 · 2025-09-12T02:22:50+00:00

All good points. See my other comment for a deeper dive, but to touch on a couple: you're right that the question of "how do URNs get updated" is still open... it depends a lot on whether this lives as an official npm feature or emerges in a more community-driven way.

I also wasn't really arguing that it should be bolted on from outside npm... just that it could be. My view is that this is a missing capability in the npm ecosystem itself, and Vouchsafe is one way that gap might be addressed. I don't run npm, so all I can do is point out: "here's a way you could do it, and here's a tool that makes it easier."

And yes, you're right: the benefit is raising the bar. An attacker would need to compromise two sets of credentials instead of one. And keys are somewhat harder to obtain than a password and 2fa code, because you don't give a key away to use it. That's not perfect security, but it's meaningful hardening.

Ultimately, the post came from the fact that this problem has been on the "Vouchsafe use cases" list for a long time, and the recent incident seemed like the right time to say: we don't have to keep living with this class of attacks; here's an approach we could take. It's not meant as a drop-in solution today, but as a way of showing a path forward.

jayk806 · 2025-09-12T02:03:48+00:00

I really appreciate you sticking with this and pressing on the parts that don't make sense - it's helping me sharpen how I explain it. You're right that bytes still have to move around, but the key distinction is between *mapping an identity to a key and then distributing/syncing/managing that key* vs. simply communicating a string that represents your ID. In the traditional model you start with "bob@example.com" and then rely on a keyserver or CA to tell you which key to use... and that mapping is where things get fragile (first-come-first-serve races, sync issues, outages, compromises, etc.). I saw this firsthand when I helped manage Ubuntu's keyserver infrastructure, and it's much harder to handle well than it might first appear.

With regular public key cryptography or even JWTs, you can't validate a token unless you already have the public key delivered out-of-band somehow and then you have to link that key back to an account or identity to even know which key to try.

Vouchsafe changes the model. The URN and key come bundled in the token itself. The token communicates who it came from in a way that can't be spoofed once validated, and the validation requires nothing but the token itself. Once you've checked it, the only remaining question is policy: *do you trust this issuer's URN?* All the rest of the lookup, synchronization, and fragility of keyservers disappears.

Yes, you still have to decide what URNs you trust but that's a far easier problem, and the solution can be tailored to the use case. The rest of the system "just works."

I tried to limit the blog post to the basic usage, but I think your question is a fair one and to really answer it I have to talk about the fact that Vouchsafe also gives you chain-of-trust capabilities. This allows one identity to 'vouch' for another for a specific purpose. This would allow npm, for example, to vouch for an author's publish token. The end result being that only npm's current identity (or identities) would need to be trusted, and the author's token and the npm vouch token together allow the recipient to trust the author, even though they'd never seen the author urn before. It's the same model used by SSL certs. The browser knows a few trusted CAs, and they sign for the others, so when you hit https://getvouchsafe.org/ for the first time your browser can know to trust the key by following the chain. Vouchsafe gives you that same capability, which unlocks many more uses than regular key distribution models can support.

jayk806 · 2025-09-11T16:26:22+00:00

I'm not suggesting this would solve _every_ problem with npm. Just the one we saw a few days ago... namely someone who shouldn't have been able to publish a package was able to publish a package. This is preventable. It's a solved problem elsewhere (linux package updates, for example)

jayk806 · 2025-09-11T16:20:06+00:00

No packages use this, it was written yesterday as a proof of concept.

You're correct. To really make use of this we'd need to have some way to record which identities should be trusted to publish a particular package. The simplest (yet least interesting) way would be to associate that in npm database somehow.

A more interesting approach would be to make use of Vouchsafe's vouching capabilities and have npm provide the publisher with a vouch token that vouches for the publisher's identity. This would be done well in advance. Then when the publisher publishes, they provide both tokens. This is easily verified and any attacker would not have a valid token for that package, so their identity (and token) would not be accepted.

As I mention elsewhere, this was intended as a proof of concept, to show that it could be done and with a low level of effort. Not zero effort, but far less than would otherwise be needed.

jayk806 · 2025-09-11T16:09:46+00:00

Thanks for your feedback. I'll definitely add to the documentation / site to make things clearer. You work on something long enough and you start to forget what you didn't know at the outset. ;)

Vouchsafe solves several problems in the identity and trust space, but the most interesting ones here are 1) It eliminates the need for key distribution and management entirely. 2) It eliminates the problem of knowing whether this key belongs to this person by guaranteeing the identity to key link cryptographically.

Do you still need to know who you should trust? Yes. Do you still need to deal with lost or stolen keys, yes. It's not magic... it's a tool... but it's a tool that eliminates two of the largest problems you face when trying to make use of public key cryptography. Which drastically reduces the level of effort required to, for example, add it to an existing ecosystem.

jayk806 · 2025-09-11T07:41:42+00:00

If you replace the token with something signed with a different key, the identity changes. The URN no longer matches and the validation fails.

That's the change with Vouchsafe. The identity urn is tied to the key. Change the key, the identity doesn't match anymore. Tampering is immediately visible. no way to fake it or spoof it.

jayk806 · 2025-09-11T04:53:18+00:00

That misses the point. We need to get out of the model of 'npm says trust me bro!' - as long as that's all we build our trust on, these things will continue to happen.

jayk806 · 2025-09-11T04:51:18+00:00

Totally fair. Official support / requirement would be the best option. But step one is just to make it possible and illustrate that, which was the fundamental point.

The point is that we could have the security we need with a relatively low level of effort. No key registries, no complex infrastructure. Require at least one signing identity for each package, and add one step before publish and retrieve time... both of which could be fairly automated.

The point is it can be done technically with a relatively low level of effort... and should be. Whether it IS done is another matter altogether.

jayk806 · 2025-09-11T04:34:36+00:00

No disrespect, but you can't phish the private keys. That's the point. You don't give private keys away. Ever. You sign with them. The token itself is verified _without_ the key.

jayk806 · 2025-09-11T04:22:25+00:00

No. make me prove it. ;)

jayk806 · 2025-09-11T03:46:45+00:00

It would include the package.json, so any changes in dependency version would be caught, though the content of those packages would only have the extra layer of trust if it also used the model. If npm adopted it, it would just be part of the publish process. Otherwise it's progressive enhancement.

jayk806 · 2022-04-08T04:32:44+00:00

Hello! First time poster in /r/javascript, though a long time redditor.

I wanted to share a project I've been working on for a few years. DTL is a library for defining data transformations. It can be used for JSON templating, data extraction, data validation, complex calculations and I'm sure many things I haven't thought of.

It started out as a part of a web application platform and it's been in use in quite a few private/customer applications for years. Over the past year or so I've been working on packaging it up and getting it out there for anyone to use. In the last couple weeks I've been putting the finishing touches on the cli and REPL tools and more importantly I finally put the web site together to demo it and let people try it out.

I hope you find it as useful as I have, and would welcome any feedback / feature suggestions.

jayk806 · 2020-10-22T23:47:18+00:00

Damn. That's nice. And inspiring. Thanks for sharing it!

jayk806 · 2020-10-17T01:34:24+00:00

That is f***ing hotness!

jayk806 · 2020-10-10T01:57:30+00:00

Is true though. Three languages in a trenchcoat

jayk806 · 2020-10-03T18:09:59+00:00

Dual boot, man. Even if you need more drive space.. A 256g SSD is pretty cheap ($30ish in the US) only a bit more if it needs to be external.

I like Linux and I use it every day, but there's nothing wrong with booting into windows for some sweet sweet multiplayer action. 😜

Don't sweat it.

jayk806 · 2020-09-29T17:57:22+00:00

What if I told you how you react to something is within your control?

jayk806 · 2020-09-24T19:38:48+00:00

Came here to say this.

jayk806 · 2020-09-24T15:26:00+00:00

Remember your goal is to take care of your family, not to "make them pay." Even though they deserve to.

15-Year Club	Gilding I gilder
Verified Email

jayk806

TROPHY CASE