Oops!
Stories of supply chain shenanigans.

@naugtur, 2021
#### I was into JS security before I knew JS or security
My first 5 lines of JavaScript ever ```js function kill(){ setTimeout('kill',0) setTimeout('kill',0) } kill() ``` breaks Windows pre XP SP2
## What's a supply chain?
npm logo your app
npm logo your app
### Vulnerabilities in legitimate packages # & ### Malicious packages
## Vulnerabilities in legitimate packages
### audit dependencies! ## `npm audit fix`

Story time

Integrations team at Egnyte

>30 apps

mass maintenance

💝 ReDoS

### We want audit in CI - run audit check in CI - manage your security decisions - no demo-day hangovers - npm-audit-resolver
### npm audit resolver Wrapper for `npm audit` in CI ``` check-audit ``` Tool to manage your security decisions ``` resolve-audit resolve-audit --yarn ```

npm audit resolver 


                            $ resolve-audit 
                            lodash needs your attention.
                            
                            [ low ] Prototype Pollution
                            vulnerable versions <4.17.5 found in:
                            -  devDependencies: lodash
                            f) fix with npm install lodash 
                            d) show more details and ask me again
                            r) remind me in 24h
                            i) ignore paths
                            del) Remove all listed dependency paths
                            s) Skip this
                            q) Quit                   
                            What would you like to do?
### npm audit resolver - [Package Vulnerability Management & Reporting Collaboration Space](https://github.com/openjs-foundation/pkg-vuln-collab-space) - Yarn is supported, npm7 experimental - Plans to expand to trusted recommendations lists You can use it now Feedback welcome!
### Read more [Do you need help with npm audit?](https://dev.to/naugtur/do-you-need-help-with-your-npm-audit-3olf)
## Malicious packages
# 🤔
publish a package

So, I published a package

I'm gonna sneak it in as
a dependency of
a dev dependency of yours
#### You think you won't run it?
npm docs for lifecycle scripts 

                        "postinstall": "echo 💩 > /etc/hosts"
### Need a demo?
### Ok, wait ``` ✨🐋 npm ci cp node_modules s3:// 🔥🔥🐋🔥🔥 ```
### Hold my 🍺
ilustrates fixing with a picture of a dude prodding an item with his leg

But I prefer fixing

# Let's fix this mess
## --ignore-scripts ``` npm ci --ignore-scripts yarn --ignore-scripts ```
publish a package

And that's it?

### Almost...
## 😅 #### Does your app still work? #### Yeah. Some scripts are there for a reason
#### Run selected scritps npm CLI has an option to do that ``` npm rebuild bcrypt bignum ``` For more control (and yarn support) use allow-scripts ``` npm install -D allow-scripts ```

allow scripts

allow-scripts npm page screenshot

more tooling?

@lavamoat/allow-scripts etc.
lavamoat logo
### That's great. Now I **"just"** need to look through all my dependencies and create an allow list

There's an app for that

Call to arms!

Please open PRs to data.json
### Need to convince others?
publish a package
### I've got you covered! ``` npm install -D @naugtur/pentest-my-ci ``` It will break your build and print a scary but informative message 😂
### My recommendation ``` ✨🐋 cp remote/package.json ./ cp remote/package-lock.json ./ npm ci --production --ignore-scripts npx allow-scripts npx check-audit cp node_modules s3:// 🔥🔥🐋🔥🔥 ```

Thanks!



@naugtur   naugtur.pl