Every time I see news like this, I am amazed by the absolute lack of permission management in nodejs and npm.
I mean, a package.json with changing permissions and an alert or manual confirmation step could've easily fixed this.
NPM is pretty much the definition of a security nightmare, because you cannot guarantee anything.
Any dependency down the tree can compromise anything upstream.
I think that package managers must offer build bots that use the source codes (git repositories) as sources of truth rather than their own packages. That's the only way that comes to mind to guarantee that the publisher of the package is actually the same owner.
If a git repo changes, warn all users. If a permission changes, warn all users. If a header/symbol file changes, warn all users.
I mean, a package.json with changing permissions and an alert or manual confirmation step could've easily fixed this.
NPM is pretty much the definition of a security nightmare, because you cannot guarantee anything.
Any dependency down the tree can compromise anything upstream.
I think that package managers must offer build bots that use the source codes (git repositories) as sources of truth rather than their own packages. That's the only way that comes to mind to guarantee that the publisher of the package is actually the same owner.
If a git repo changes, warn all users. If a permission changes, warn all users. If a header/symbol file changes, warn all users.