I mean... "as configured" can me either an allow OR a denylist. That sentence doesn't really prescribe doing it one way or the other..? You have to parse the denylisted elements because they will affect the rest of the parse, so you _have_ to remove them afterwards in the general case.
pnpm is the better comparison maybe in this context. Most of Deno's approach to security is focussed on whole program policies which doesn't do much in this context. Just like pnpm and others, they do have opt-in for install scripts though. The npm CLI is an outlier there by now.
Vendoring wouldn't really affect this at all. If anything it would keep you vulnerable for longer because your vendored copy keeps "working" after the bad package got removed upstream. There's a tiny chance that somebody would've caught the 10MB file added in review but that's already too late - the exploit happened on download, before the vendored copy got sent for review.
They didn't deploy the code. That's not how this exploit works. They _downloaded_ the code to their machine. And npm's behavior is to implicitly run arbitrary code as part of the download - including, in this case, a script to harvest credentials and propagate the worm. That part has everything to do with npm behavior and nothing to do with how much anybody reviewed 3P deps. For all we know they downloaded the new version of the affected package to review it!
If people stop running install scripts, isn't Shai-Hulud 3: Electric Boogaloo just going to be designed to run its obfuscated malware at runtime rather than install time? Who manually reviews new versions of their project dependencies after installing them but before running them?
GP is correct. This is a workflow issue. Without a review process for dependencies, literally every package manager I know of is vulnerable to this. (Yes, even Maven.)
> If people stop running install scripts, isn't Shai-Hulud 3: Electric Boogaloo just going to be designed to run its obfuscated malware at runtime rather than install time?
Many such forms of malware have already been published and detected.
> Who manually reviews new versions of their project dependencies after installing them but before running them?
One person putting in this effort can protect everyone thereafter.
The PyPI website has a "Report project as malware" button on each project page for this purpose.
But yes, this is the world we live in. Without this particular form of insecurity, there is no "ecosystem" at all.
Afaict many of these recent supply chain attacks _have_ been detected by scanners. Which ones flew under the radar for an extended period of time?
From what I can tell, even a few hours of delay for actually pulling dependencies post-publication to give security tools a chance to find it would have stopped all (?) recent attacks in their tracks.
Nothing to do with "smart", or at least that's mostly irrelevant to this observation. But it's definitely age-dependent. No matter how "smart", it's not fair to expect young children to immediately and fully pay attention to some "random" voice when other interesting things are going on at the same time.
> Why the South? What about the North? Symmetric globe?
The globe isn't symmetric when it comes to these terms. They don't refer to the actual two hemispheres, split at the equator. The "south" contains the equator and the "north" ends way before the equator.
> And why is the shrinking considered a misrepresentation, but the enlargement of high latitudes apparently not?
Because being overrepresented (looking bigger) is typically an advantage. Both are misrepresentations but the direction matters. Some of this is only a real problem if geographical area and population are correlated. Which, at least in broad strokes, is true here.
You asked what you thought were open ended questions but turned out to have concrete answers. Maybe you are also one of these people who should reflect?
Same way "7" is a concrete answer to "How many colors does the Rainbow have?". But the answer does not relate to the physical object at all, but is actually the idea of Isaac Newton.
Nope, not in the same way as all. One of your questions was just a straightforward misunderstanding of the terminology. It just wasn't as deep as you thought it was, and if your desire is to be honest with yourself and grow, you should recognize that. If you're trying to challenge other people's ideas to provoke them into a new position, but aren't ready to recognize when your own ideas have fallen short, than I'd suggest tending your own garden before worrying about whether your neighbor is underwatering.
Again, don't worry about whether I failed to think or question, worry about whether you are actually engaging in the way you prescribe. If you were as enlightened as you believe you are, you wouldn't be so defensive.
Could this be trivially solved client-side by the editor if it just encoded the slashes, assuming it's HTML or markdown that's stored? Replacing `/etc/hosts` with `/etc/hosts` for storage seems like an okay workaround. Potentially even doing so for anything that's added to the WAF rules automatically by syncing the rules to the editor code.
> The gap between design and engineering has never been wider.
This seems like such a weird claim to make. This used to be "here's a JPEG, you may beg for the PSD". Not saying that there's no gap today but... never been wider..? Am I missing something about the typical Figma setup that makes it worse than a random JPEG export of one state of the UI?
