Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wow. Another huge package got compromised. I'm going to repost my PSA[0][1] that I posted after Axios and LiteLLM were compromised. The bit about lifecycle scripts apply too:

PSA: npm/bun/pnpm/uv now all support setting a minimum release age for packages. I also have `ignore-scripts=true` in my ~/.npmrc. Based on the analysis, that alone would have mitigated the vulnerability. bun and pnpm do not execute lifecycle scripts by default. Here's how to set global configs to set min release age to 7 days: ~/.config/uv/uv.toml exclude-newer = "7 days"

  ~/.npmrc 
  min-release-age=7 # days
  ignore-scripts=true
  
  ~/Library/Preferences/pnpm/rc
  minimum-release-age=10080 # minutes
  
  ~/.bunfig.toml
  [install]
  minimumReleaseAge = 604800 # seconds

If you do need to override the global setting, you can do so with a CLI flag:

  npm install <package> --min-release-age 0
  
  pnpm add <package> --minimum-release-age 0
  
  uv add <package> --exclude-newer "0 days"
  
  bun add <package> --minimum-release-age 0

I should add one extra note. There seems to be some concern that the mass adoption of dependency cooldowns will lead to vulnerabilities being caught later, or that using dependency cooldowns is some sort of free-riding. I disagree with that. What you're trading by using dep cooldowns is time preference. Some people will always have a higher time preference than you.

0: https://news.ycombinator.com/item?id=47582220

1: https://news.ycombinator.com/item?id=47513932



The last time I looked at this, using ignore-scripts = true with npm results in "npm run xyz" getting blocked as well, is that still the case?


Nope, that's not the case. This blocks lifecycle scripts, but it doesn't block scripts that are explicitly invoked by `npm run`. From the documentation[0]:

  Note that commands explicitly intended to run a particular script, such as 
  npm start, npm stop, npm restart, npm test, and npm run-script will still
  run their intended script if ignore-scripts is set, but they will not 
  run any pre- or post-scripts.

0: https://docs.npmjs.com/cli/v8/commands/npm-run-script#ignore...


+1 to this. I am glad to have enabled these back in March before the last two waves hit. In addition to that, make sure you have a lockfile committed to your repo and be mindful of adding new dependencies. Use `pnpm install --frozen-lockfile` to avoid surprises.

If you don't have min-release-age set, remember that you can still pull in affected packages via indirect dependencies.

And ideally pin your package manager version too.


I hate to spam this but Ive seen this misconception on bun repeatedly in each of these incident threads. It should really be noted that bun _does_ run lifecycle scripts for the top 500 most popular packages by default. You can opt out of this but its not the default config. Its much better than the npm strategy but I think it would be much better if there was a way to explicitly acknowledge you want this default whitelist applied (eg scriptPolicy = allow, deny, or allow popular only)

https://bun.com/docs/pm/lifecycle


pip also supports relative dependency cooldowns starting in v26.1:

~/.config/pip/pip.conf

[install] uploaded-prior-to = P3D


Those should be defaults in npm.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: