The massive bug at the heart of npm
Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.
Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.
Changelog++ members save 2 minutes on this episode because they made the ads disappear. Join today!
Sponsors:
- Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com
- Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.
- Typesense – Lightning fast, globally distributed Search-as-a-Service that runs in memory. You iterlly can’t get any faster!
- Changelog News – A podcast+newsletter combo that’s brief, entertaining & always on-point. Subscribe today.
Featuring:
- Darcy Clarke – Twitter, GitHub, LinkedIn, Website
- Amal Hussein – Twitter, GitHub
- Feross Aboukhadijeh – Twitter, GitHub, Website
Show Notes:
- Darcy / vlt’s blog post on this massive npm bug
- Feross / Socket’s follow-up blog post in this issue
- Refactor Conf - Darcy & Feross will be speaking in July
- Verdaccio (not to be mistaken with Versace) - an open source npm registry proxy
- Github layoffs for engineering team in India
- Bug filled July 28th, 2022 related to binding.gyp and triaged on October 22nd, 2022
- Darcy’s original test POC from Nov 2nd, 2022
- Darcy’s POC from March 8th, 2023 which was used in the HackerOne report to Github
- Legacy docs for npm publish params
- Tool for checking packages for manifest mismatches
- Great resource for security acronyms
Something missing or broken? PRs welcome!
Timestamps:
(00:00) - It's party time, y'all
(00:40) - Welcoming Darcy
(02:56) - A massive bug
(05:04) - Ecosystem overview
(09:30) - But why?
(13:58) - Verdaccio
(16:46) - Why is this so broken
(27:38) - Timeline of the bug
(41:40) - Blog post feedback
(43:45) - Why, GitHub, why?!
(45:12) - Sponsor: Changelog News
(46:44) - How do we dig ourselves out
(53:14) - What the early days were like
(55:03) - What's next for Darcy
(57:25) - vlt (Volt)
(59:45) - Closing time!
(1:01:57) - Next up on the pod