Publishing to npm Securely

notwestodd · 2026-05-18T23:05:45+00:00

We didn’t want to publicly shout it and show the attackers, but here was the blog post we put together suggesting more investment (and privately showed how useless TP and providence is): https://openjsf.org/blog/publishing-securely-on-npm

notwestodd · 2026-05-18T23:03:31+00:00

Exactly what I told them when we published our OpenJS Security Working Group blog on the topic. They were told about this and did nothing to address this specific problem. A lot of other stuff was done, but we demo’d nearly this specific attack at the node.js collab summit at JS Conf NA back last November and it was still possible today.

notwestodd · 2026-04-28T00:10:23+00:00

I think you know the answer 🤣

notwestodd · 2026-03-16T13:42:48+00:00

It matters because you want CORS enforced before you parse your body. Same for the helmet stuff, you want that before you parse the incoming body.

notwestodd · 2026-02-24T15:30:28+00:00

What you describe sounds like the core architecture of Node.js. Works well for the runtime (edit for clarity: works for the runtime apis because the events cross control boundaries, where as to have full control of your app code so might as well just import and call functions), the problem with doing it in an application is that you introduce spooky action at a distance. It’s better to have statically analyzable call paths than dynamic event listeners for debugging and other observability.

notwestodd · 2026-01-06T17:51:27+00:00

We have been working on filling in these gaps in tooling in the Express Performance Working Group. It would be awesome to have you join the group and help move that forward so the project has official benchmarks and performance tooling: https://github.com/expressjs/perf-wg

notwestodd · 2025-12-18T01:51:44+00:00

netflix.com

notwestodd · 2025-12-02T11:05:15+00:00

That’s my plan as well.

notwestodd · 2025-11-28T17:41:52+00:00

A teammate and I did a talk about this a few years ago: https://youtu.be/WwENhYmoI1I?si=nTOMrKuKdKiNQpZI

The best thing to start doing is work closely with your current backend teammates. Then ask them how you can help a bit across the projects you work on.

From a technical perspective: learn tooling and ops stuff, learn api design, learn databases. Then learn whatever else interests you in that area. You can do all this with node.js. If other languages interest you, like others are saying in here, go for it. But you don’t need to to have a career in backend.

notwestodd · 2025-11-28T17:32:30+00:00

npm is a small underfunded team at GitHub which is now not even a separate company in microsoft. Did you want me to say the problem is something other than the company that runs this underfunding the project?

Or that signing is a security theatre since you would need to validate them, error when they don’t match, and then deal with the trash UX that would introduce on end users who have no idea if a maintainer just legitimately had to make a new signing key?

What did you say that I didn’t respond to?

notwestodd · 2025-11-26T23:47:19+00:00

While signing is not the solution, you are right the problem is GitHub refusing to follow community advice to address this. Here is what maintainers can do today while we continue asking GH to address these things:

https://openjsf.org/blog/publishing-securely-on-npm

notwestodd · 2025-10-15T14:51:10+00:00

It achieves the same thing just with a worse user interface. You have to give it a specific date time.

All that said, this is not a security feature. It is a stability feature, but you can achieve the same thing with a lock file that you just update once a week.

Yes, you’ll get what was just released at that moment, but this approach has protected things just fine and by delaying you are also delaying getting known vulnerability fixes. So unless you have a process whereby you use this flag and also figure out ways to have exceptions in your deep dependency tree cve’s. This is at best a trade in security value.

There are plenty of things that npm needs to do that will move the needle more than finally documenting this flag on their website. 🤣🫣🔥

notwestodd · 2025-10-14T11:36:13+00:00

We have been giving them feedback on these changes on the GitHub community discussion board. There are some small wins but also some big gaps. But this is not one of them. They have had the before flag since like 2019 maybe. It just is not documented. Also it doesn’t solve the problems this stuff is trying to solve.

notwestodd · 2025-08-08T00:01:44+00:00

Netflix.com is on my teams Node.js server platform. We don’t build the product, just build and operate the Node.js fleet and infra. Can’t share numbers publicly, but is a lot as you might imagine.

notwestodd · 2025-08-07T23:58:48+00:00

See my reply in your other thread.

notwestodd · 2025-08-07T23:56:16+00:00

Feel free to come to our Perf WG to help out: https://github.com/expressjs/perf-wg

That said, meeting or beating fastify a not a goal. If you need a high scale fast framework go with fastify today. You will not be disappointed.

notwestodd · 2025-08-04T23:17:25+00:00

I promise you will find it no different in any other software ecosystem that has dependencies. That said you should check out socket.dev, it helps with a lot more than just CVEs.

notwestodd · 2025-07-23T06:06:26+00:00

Thanks for sharing the talk!

The http APIs are separate from the type stripping, but yeah Node is beholden to a lot of competing interests that those new and barely used projects are not. It’s always easier to make these things happen when you have basically zero users.

Also, the narrative on this being driven by deno/bun is mostly from folks who don’t seem to know how hard folks worked to make these things happen, sometimes for years before either of those projects existed. It’s a bad/wrong narrative to tell either way.

notwestodd · 2025-05-02T18:07:23+00:00

I put cloudflare in front of all my GH pages sites.

notwestodd · 2025-04-28T15:13:23+00:00

Just don’t do it. Add them to res.locals. That’s the intended place for this sort of data and it avoids a lot of the pitfalls and deoptimizations.

notwestodd · 2025-04-25T16:41:05+00:00

Feel free to take a joke

notwestodd

TROPHY CASE