Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
Sarah Gooding
August 8, 2024
Following a discussion in OpenJS Slack, Node.js PMWG (Package Maintenance Working Group) members have formalized a plan for eventually removing Corepack.
In February, the Node.js community engaged in a heated debate over a proposal to enable Corepack by default that was opened in November 2023. This included the question of whether npm would be provided through Corepack moving forward, as some contributors hold the opinion that the eventual goal of its integration was to uncouple Node.js releases and npm releases. In March, Node’s Technical Steering Committee (TSC) confirmed they have no intention to remove npm from distribution.
The TSC delegated the decisions regarding Corepack to the PMWG, as the discussion evolved. In a PR titled “feat: next steps for version management progress,” PMWG members have outlined a roadmap that leads to removing Corepack from the Node.js distribution in the next major release:
Proposal: Next steps
As part of achieving the second goal: “Install Node.js and a package manager for a local development environment,” And following up on the proposal to revise the downloads page, we propose the following next steps:
We should revise the Node.js download page to split apart the operating system package managers (Homebrew and Chocolatey) onto their own tab separate from the Node.js version managers (nvm and fnm) and the version managers tab should remain the default. This will further nudge users toward our recommendation of installing Node.js in a version-managed way.
Also on the download page, we should add instructions for installing Yarn and pnpm as package managers to use for a project. These instructions should follow whatever recommendation we receive from those project's maintainers.
Corepack's documentation should be moved out of the Node.js API documentation and into its own website, or accessible as Markdown files in the Corepack repo. Corepack is a separate project from Node.js and intermingling its documentation within Node.js's is confusing; we don't do that for npm even though we distribute npm.
Once all of the above is complete, we should remove Corepack from the Node.js distribution starting in the next major release. Users who wish to continue using Corepack can do so via the instructions available on the Node.js download page or in Corepack's documentation. This will reduce the maintenance burden on the Node.js project and allow Corepack to evolve independently.
The PR has already received five approvals, one more than the requisite four approvals needed from regular members in order to merge it. According to the group’s PR merging policy, the PR must also have no blocking reviews and a seven-day period from the 4th approval to merging. At the time of publishing, the PR remains open.
In a surprising turn of events, the discussion about enabling corepack by default became an important milestone that precipitated this decision.
Several commenters on the PR noted the relative popularity of Corepack among experimental features of Node.js. TSC member Marco Ippolito shared data from the latest survey, saying it seems Corepack its “pretty popular:”
Others have continued the discussion in a previous PR for removing corepack, which has been in discussion since March. TSC member Matteo Collina notably reversed his support for Corepack two months ago, due to its support for downloading the package managers from a source that is not npm.
Those who are happily using Corepack see its removal as a step back backwards.
“I've been using pnpm exclusively through corepack,” @joshuajaco commented last week.
“The main reason is npm has basically become unusable over the years. It is incredibly slow, often gives confusing error messages and sometimes just gives wrong, non deterministic results. Forcing people to use npm to install the package manager they actually want to use is a terrible step backwards.”
The previous PR calling for Corepack’s removal has seen a reactivation of discussion after PMWG moved to approve action on its roadmap.
“I'll also add my deep disappointment with this sad state of affairs,” web developer Nick Ribal commented. “Lots of people choose not to use npm for lots of valid reasons. For this crowd, Corepack has been nothing short of a lifeline, which this PR aims to sever. It'll be a terrible regression and will harm many node users. It is actively hostile and I wish more people realized that.”
Over the past two weeks, a strong contingent of PMWG members have come to the consensus that Corepack is better off evolving independently. To understand this decision, it’s important to dive deeper in the conversations that led to this consensus.
While Corepack was originally implemented to make users’ lives easier, there is more historical context around how it was added.
“[Corepack] did exist prior to being included with Node and it is a separate tool,” Darcy Clarke said during the most recent PMWG meeting. “It didn't have a ton of time in the ecosystem to be baked before it was pulled in but it did exist and does exist separate of node core, so you can still access it and in fact you can get the latest version of it independent of the node distribution. Pulling it out of core - I don't think prevents anybody from continuing to use Corepack.”
Jordan Harband noted that with a few rare exceptions, yarn and Corepack maintainers haven’t shown up to the meetings where decisions are being made for the better part of a decade, prioritizing collaboration on GitHub or Twitter.
“I want these people in here to collaborate,” Harband said. “I want us to share our ideas and it's pretty difficult to iterate on something when the people running it are under represented in these standards arenas.”
Wes Todd expressed a similar sentiment in the meeting regarding the working group’s willingness to solve the technical issues hindered by the inability to bring important stakeholders to the table.
“Let's find the actual edges of these technical problems and let's see if we can solve them,” Todd said. "I really hope we can. Unfortunately though, we don't have the Corepack maintainers in the room so that has been a regular lack of - that's been the lack the entire time is that the folks who can help us get over those things are not implementing the feedback and are not participating in the feedback cycle so it has become very difficult to have a productive conversation and move forward without it resorting to fallbacks of ‘'let's call for a vote’ or let's do this or that.”
Todd commented on the PR with the roadmap that leads to removing Corepack from the Node.js distribution, adding a summary of the action items identified in the most recent PMWG meeting:
The next PMWG meeting on the calendar is on August 29. Members are working to lock the battleground PRs and redirect the conversation regarding Corepack to the efforts that are being actively pursued by the working group.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.