The Vulnerability We Deserve

This article is already old news for me and largely irrelevant as i don’t use much in the way of rando js modules, random packages, etc. However the subject is interesting due to the conversations that has spawned:

As always, the hell is in the comments from these posts but mostly this boils down to a couple of things for me:

  1. In the mad rush to develop details get drowned in the mad flow of dependencies, libraries, etc. etc. etc. that get imported in willy-nilly to provide functionality without remaking the wheel.

  2. The superficial incentives to write and release millions of tiny modules and libraries result in heavy obfuscation of core beliefs in what software should be.

And this is where I get slightly Stallman-esque.

The code, in this case, was in the minified version and therefore, for practical purposes, unreadable for most. And while minified code serves a purpose when used on the web (i.e. small files, quick speeds, etc.) it is something that can’t be read or studied easily. This goes double for the user of a website where they are greeted by and have already used the software in question before they have the chance to read it.

But blah blah blah–that’s a whole separate topic.

Sticking mostly to the hell-world that’s node and NPM I ran quick test where I installed express to see what would happen. the result cranked out the following:

+ express@4.16.4
added 48 packages from 36 contributors and audited 121 packages in 2.97s
found 0 vulnerabilities

Mind you, I am not disparaging express it was simply the first example that came to mind.

However, within the modules folder there are now 48 folders each with their own code, etc. - dependencies with dependencies with dependencies and each with their own points of failure and possibilities for corruption.

Add to this the devil may care attitude of open source developers who release their projects into the hands of whomever they want. This creates the (obviously very real) possibility of the new maintainers then putting malicious code into the package on the next version update and there’s a huge potential for problems. And this is why the “open source developers don’t owe you anything” argument falls flat. They might not owe users anything in terms of direction and development of their program, but they do owe them the ability to trust in the last release of their signed product.

This, of course, is another issue entirely. The glut of projects on GitHub, etc. that are desperate for new maintainers is astounding and is a topic for important future action.

Barring actual responsibility from developers, the first solution, I imagine, would then be proper due diligence on those who are importing libraries like gangbusters. They have the duty to make sure their code is as harmless as possible and therefore must accept the risks and responsibilities of managing third party libraries.

That is a bit extreme though. One cannot simply inspect all the libraries and excess code that is contained therein so what then?

Perhaps a rethinking of the entire NPM styled system. To be frank, it’s nonsense and very close to a vanity measuring contest with its bragging of how many packages are available and such. The result of which is the glorification of package production and the increased chances of abuse by those who know that the flawed model has become a place of misplaced trust by developers. (see here for an well reasoned article on the issue along with a call for the creation of a Standard Library)

There must be the ability to read the code and understand it and code that’s dependent on more code needs to find a way of incorporating that code in a manner that allows it some control over it so that bad things can’t be slipped into it.

Freedom is necessary, free software is necessary and both should do no harm.