Review your reliance on npm libraries and CDNs
The effect was instantaneous. Hundreds of builds per minute were breaking, and npm took the unprecedented step of re-publishing the leftpad module to fix the problem. While the legal issues surrounding npm's decision are unclear at this time, we learned some very important lessons yesterday.
First, if you publish a library on npm that has external dependencies, you should consider forking the code for the external dependencies and publishing your own copy of the dependencies so you control your own destiny. Because of how npm works, you could even be at risk if a dependency once removed (a dependency of a library you are dependent on) is unpublished.
Second, npm is, as things stand, unsafe territory. See this Twitter comment from Maxwell Ogden:
There are at least three immediate issues with how npm works. First, a single developer, as we have just learned, can unpublish a single module and break a very large number of dependent projects. Second, and more insidious, a hacker could hack the install process for a module and inject a virus, as Ogden indicates.
Third, and perhaps worst of all, a maintainer of a module like leftpad, rather than unpublish the module during such a dispute, could change the module and create their own hacks against mass infrastructure. While ethical people would never do something so nefarious, it only takes a single unethical person to make it happen. And if you really want to be paranoid about it, consider that an agent for a third party like a government or corporation could publish something, wait until it becomes popular, and then infect it with malware. This kind of attack might be detected fairly quickly, but because of the scale of use, even a couple of days without detection could leave hundreds of thousands or millions of installations at risk of attack.
Here are some immediate steps you can take:
- Your web sites should be reviewed for dependencies on npm.
- Any npm modules you publish should be reviewed for dependencies and such dependencies should be mitigated.
- You should review reliance on CDNs and create fallback strategies if your CDN fails or is compromised.
There will be repercussions from yesterday's events for some time. Don't wait for npm to decide how they are going to deal with what happened, move now and protect your own assets.