tamimio parent
Not really, and it takes a few minutes because most of these packages (including npm) are small. You don’t have to read the WireGuard codebase because it’s reputable enough, but for obscure or unknown add-ons/package code, it’s on you to double-check, just like reading the ‘readme’.
So just sneak the code in a dependency of a dependency.
Who’s diving 3-4 layers deep into dependencies?
No need to hide it inside dependencies, just modify the code before building and pushing the package to PyPi.
You can't "not really" this away. Most people don't bother looking at small package code, much less code for packages that are far more complex.
I haven’t looked at the source code of a single npm package I’ve installed in the past 5 years.
“It takes a few minutes”
Dude my web dev projects have like 1,000s of dependencies. I’m not going to check the source code of every package tailwind requires.
Even if you did review it, a motivated attacker is not going to have an exfiltrate_user_data(). The xz backdoor exploit was incredibly sophisticated, and one key of the design was sneaking a "." into a single line of a build test script.
A cursory audit of primary dependencies has almost zero chance of catching anything but a brazen exploit.
Yeah. Realistically I think the best course of action is just assume you’re already using a library that can exfiltrate data.
This requires allowlisting egress traffic and possibly even architecting things to prevent any one library from seeing too many things. This approach can be a big pain though and could be difficult to implement practically.
Imo this makes no sense. There's zero chance you will start inspecting all dependencies even in a relatively small application, which now a days could pull already a large number of deps.
I don't see how doing any of this manually will help.
This is why I refuse to use almost anything on npm. If you have a zero dependency project I'll consider it. If you have a dependency that also has a set of dependencies then I will never use your code.
Would you have caught the XZ backdoor?