node-ipc icon indicating copy to clipboard operation
node-ipc copied to clipboard

Published 20 hours ago verified publisher icon MidSpike

The future of MidSpike/node-ipc

Open MidSpike opened this issue 2 years ago • 4 comments

Hopefully everyone is aware of CVE-2022-23812. This issue exists to discuss the future of MidSpike/node-ipc.

One of my projects, iris-utilities, depended on RIAEvangelist/node-ipc and I am now unable to trust that repository. That is why I have created this fork, to continue the maintenance of node-ipc under a new maintainer.

I highly recommend for everyone to either fork this repository or to help maintain it.

I would like help from the community for creating rules on how this repository should be maintained. Please leave your suggestions below.

MidSpike avatar Mar 18 '22 19:03 MidSpike

Suggestion for one rule: don't let anyone talk about their political or religious or controversial views or let any commits of such in this repo.

To enforce this and future rules: Maybe not let people who have broken previous rules to commit to this repo.

P.S: These are just suggestions and can (and should) change.

thamognya avatar Mar 19 '22 03:03 thamognya

Do you think you should make a new repo with only the branches that are known to be safe to prevent npm from accidentally installing an unsafe branch? Or does npm only access releases?

bradenbest avatar Mar 19 '22 15:03 bradenbest

Good job! At least some people here still care about FOSS adoption.

marouenes avatar Mar 22 '22 14:03 marouenes

I applaud your efforts, especially given how we live in a post-truth world where most run with the mob, even if it makes no sense to hate Russia right now. Respect!

But I'm curious: Do you really think that'll make any difference? Do you think you can keep maintaining it?

I'm not a JS dev (occasional user), but even I know you cannot possibly verify every single upstream package. Even I've encountered further Ukrainian malware than just this in the wild, and I'm very sensitive about what I run.. (Shouldn't say Ukrainian, the loudmouths are typically random upper-class-virtue-signaling guys. Not like they care about Ukraine or Donbas or Russian civilians.) It's very trendy to hurt others in the name of whatever the loudest government crook spouts. Rewards nice internet ego points.

Let's look at node-ipc alone:

npx howfat node-ipc -d -r table
[email protected] (117 deps, 4.01mb, 1022 files)
╭────────────────────────┬──────────────┬──────────┬───────╮
│ Name                   │ Dependencies │     Size │ Files │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]              │           77 │   2.05mb │   605 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]     │           49 │   1.28mb │   371 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected] │            0 │ 928.64kb │    90 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]       │            3 │  102.9kb │    65 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]        │            0 │  90.01kb │     6 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]     │            2 │  61.13kb │    20 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]      │            0 │  54.39kb │    14 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]      │            0 │  27.82kb │    10 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]         │            1 │  25.79kb │    12 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]       │            0 │  10.07kb │     6 │
├────────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]         │            0 │   8.18kb │     8 │
╰────────────────────────┴──────────────┴──────────┴───────╯

How about something common like jasmine:

npx howfat jasmine -d -r table
[email protected] (240 deps, 21.54mb, 7470 files)
╭────────────────────┬──────────────┬──────────┬───────╮
│ Name               │ Dependencies │     Size │ Files │
├────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]       │          139 │  17.59mb │  6305 │
├────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]        │          113 │   5.08mb │  2130 │
├────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]    │           59 │ 864.04kb │   409 │
├────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]      │           20 │ 581.63kb │   252 │
├────────────────────┼──────────────┼──────────┼───────┤
│ [email protected] │            0 │ 365.98kb │    21 │
├────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]         │           15 │ 215.55kb │    92 │
├────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]         │           11 │  144.1kb │    56 │
├────────────────────┼──────────────┼──────────┼───────┤
│ [email protected]        │            0 │   3.42kb │     5 │
╰────────────────────┴──────────────┴──────────┴───────╯

(I'm sure there are worse examples, but you get the point. The 'hello world' in some electron tutorial has hundreds of non -d deps and is run by millions of people.)

What choice do we really have?

You can only read so much. Besides the sheer amount, there are thousand of updates across all the packages we interact with on a daily basis. Even if you don't develop in JS/node, you probably use half a dozen applications making use of it one way or another.

I'd be interested in the view of experienced JS guys. Are we all gamblers now?

Do we have any efficient sandboxing options? From what I can tell, no.

elandorr avatar May 24 '22 19:05 elandorr