Skip to content(if available)orjump to list(if available)

Pnpm has a new setting to stave off supply chain attacks

Pnpm has a new setting to stave off supply chain attacks

14 comments

·September 18, 2025
Visit

omnicognate

Should have included the units in the name or required a choice of unit to be selected as part of the value. Sorry, just a bugbear of mine.

zokier

Or just use ISO8601 standard notation (e.g. "P1D" for one day)

fzeindl

ISO8601 durations should be used, like PT3M.

aa-jv

Should be easy, just add the ISO8601-duration package to your project ..

/s

postepowanieadm

If everyone is going to wait 3 days before installing the latest version of a compromised package, it will take more than 3 days to detect an incident.

anematode

A lot of people will still use npm, so they'll be the canaries in the coal mine :)

More seriously, automated scanners seem to do a good job already of finding malicious packages. It's a wonder that npm themselves haven't already deployed an automated countermeasure.

vasachi

If only there was a high-ranking official at Microsoft, who could prioritize security[1]! /s

[1] https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...

OskarS

I have a question: when I’ve seen people discussing this setting, people talk about using like ”3 days” or ”7 days” as the timeout, which seems insanely short to me for production use. As a C++ developer, I would be hesitant to use any dependency in the first six months of release in production, unless there’s some critical CVE or something (then again, we make client side applications with essentially no networking, so security isn’t as critical for us, stability is much more important).

Does the JS ecosystem really move so fast that you can’t wait a month or two before updating your packages?

progx

Yes, but this is not only JS dependent, in PHP (composer) is the same.

Normally old major or minor packages don't get an update, only the latest.

E.g. 4.1.47 (no update), 4.2.1 (yes got update).

So if the problem is in 4.1 you must "upgrade" to 4.2.

With "perfect" semver, this shouldn't be a problem, cause 4.2 only add new features... but... back to reality, the world is not perfect.

progx

That solve not really the problem.

A better (not perfect) solution: Every package should by AI analysed on an update before it is public available, to detect dangerous code and set a rating.

In package.json should be a rating defined, when remote package is below that value it could be updated, if it is higher a warning should appear.

But this will cost, but i hope, that companies like github, etc. will allow package-Repositories to use their services for free. Or we should find a way, to distribute this services to us (the users and devs) like a BOINC-Client.

jonkoops

Ah, yes! The universal and uncheatable LLM! Surely nothing can go wrong.

progx

As i wrote "not perfect". But better than anything else or nothing.

robertlagrant

The Politician's Syllogism[0] is instructive.

[0] https://en.wikipedia.org/wiki/Politician's_syllogism

progx

I can't wait to read about your solution.