The Node.js Ecosystem Is Chaotic and Insecure

A modern web developer at work

It seems like only yesterday we had the “left-pad” fiasco where Azer Koçulu ended up pulling his packages after a name dispute.

It wasn’t really that dangerous that the code was deleted, that only broke the builds which everyone noticed during their build process and the whole ordeal lasted for like two hours.

It was dangerous because that it was a small redundant package that no one would ever actually bother to audit before deploying, so anyone could have jumped in and published a package in it’s place with the same functionality but also stick some malicious code into it and get a free ride to get deployed essentially anywhere that ran JavaScript.

Well, it sure is a good thing we learned our lesson from that isn’t it?

We Still Can’t Code

When left-pad hit, developers from other camps were having their laughs at how this tiny piece of code could be a module. Good thing we have learned by now right? Well, no, not at all.

The following wonder of engineering aptly named is-odd has around 500 000 downloads per day.

Going through the dependents tree, I found hundreds of projects depending on this but more importantly also the big players including Webpack, BrowserSync and Babel depend on it.

Basically this means that if this package was a trojan waiting to do a bait-and-switch in a minor patch then it could theoretically inject code into the developer’s machine but also inject itself into the code generation of whatever prepreprocessors available via require, including Babel and Webpack.

Now that’s a lot of power to give to a package that should just have been a single modulus or bitwise operator call.

But surely this is a freak occurrence right? Actually no, it’s common practice today, the “do not repeat yourself” mantra has been taken a bit too literally where many will consider even writing basic one liners re-inventing the wheel.

The is-number package has nearly two million downloads per day. is-odddepends on this…