SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable. “It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
  • iocase@lemmy.zip
    6·
    19 hours ago

    I guess one benefit is rust development often doesn’t use bleeding edge version for everything, where you pull the entirety of crates.io through your machine when you open your IDE. From what I’ve seen most projects use == versions and lock files.

    I don’t know enough about rust though. Could an attacker change historical crate versions to a payload and then cargo pulls them because they changed? Or will cargo only pull an update if you change to a different version on your machine?

    • Miaou@jlai.lu
      2·
      11 hours ago

      Cargo does not respect lockfiles by default, AFAIK. You need to explicitly pass the --locked flag.

      • Technus@lemmy.zip
        1·
        2 hours ago

        When you cargo install a binary, it ignores lockfiles. If you clone a project and build it, it respects the Cargo.lock that was checked in.

    • Technus@lemmy.zip
      5·
      18 hours ago

      You can’t overwrite previously published versions.

      Application projects are recommended to check-in the Cargo.lock which pins dependency versions but you can always just run cargo update at any time which automatically upgrades all dependencies to the newest version allowed by the Cargo.toml.

      Some projects get around this by pinning the dependency in the Cargo.toml (using =) or by vendoring all their dependencies, which is a huge pain in the ass.

    • brucethemoose@lemmy.world
      2·
      18 hours ago

      That sounds better and worse. An attack could persist past one specific version without anyone noticing for a bit.