One thing I loved about Mac OS X was that Apple took responsibility for curating, installing, and updating Unix libraries and tools. I say Mac OS X rather than macOS because sadly, in recent years Apple has removed many parts of the Unix foundation from the Mac and also shirked its responsibility to update the remaining Unix components (see for example my previous blog post macOS Monterey still vulnerable to CVE-2022-40303). The glory days when Mac OS X was (IMO) actually the best version of Unix in the world are long over. This blog post isn't about Mac OS X, though, it's about Node.js, the JavaScript runtime environment. As a web browser extension developer, I write a lot of JavaScript, so I have an obvious interest in Node.js. The default package manager for Node.js is npm. I've had to use Node.js and npm before for some third-party projects, but I don't currently use them for my own software. Why not? Frankly, I'm scared of Node packages.
From Wikipedia:
Over 1.3 million packages are available in the main npm registry. The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.
Also:
- In July 2018, the npm credentials of a maintainer of the popular eslint-scope package were compromised resulting in a malicious release of eslint-scope, version 3.7.2. The malicious code copied the npm credentials of the machine running eslint-scope and uploaded them to the attacker.
- In November 2018, it was discovered that a malicious package had been added as a dependency to version 3.3.6 of the popular package event-stream. The malicious package, called flatmap-stream, contained an encrypted payload that stole bitcoins from certain applications. npm administrators removed the offending package.
- In January 2022, the maintainer of the popular package colors pushed changes printing garbage text in an infinite loop. The maintainer also cleared the repository of another popular package, faker, and its package on npm, and replaced it with a README that read, "What really happened to Aaron Swartz?"
- In March 2022, developer Brandon Nozaki Miller released a version of the package node-ipc containing malicious code that would delete files from users with Belarusian and Russian IP addresses, in protest of the Russian invasion of Ukraine.
I'm interested in using Node.js for several reasons, but to me the tradeoffs aren't worth it. I don't want to risk compromising my Mac, which hosts critical business and personal data. The npm registry is simply not trustworthy.
I would love it if some entity took responsibility for curating, installing, and updating Node packages, much like Apple did for Unix components. In other words, I want a Mac OS X analogue for Node.js. (To be clear, I don't want an App Store analogue for Node.js. The crApp Store is full of scams. It's worse and less trustworthy than the npm registry. The crApp Store is not truly curated. Not in the way that Mac OS X was.)
Perhaps something like this for Node.js already exists? I'm not aware of anything, but I'm certainly not a Node expert. If a curated package manager does exist, please let me know! Otherwise, I hope that something like this comes into existence soon. It feels like a business opportunity. I for one would pay for it. (I would pay for macOS too again, if Apple put the care into it that they did in the past.)