[QCon 2019] Making npm install safe

Kate SIlls @kate_sills

For other QCon blog posts, see QCon live blog table of contents


  • Building financial software in JavaScript
  • 97% of code in a modern web app comes from npm

Security issues

  • All packages are risky
  • Imports and global variables
  • Effects opaque
  • Can be from dependency many levels deep


  • Event stream package (11/28/18)
  • Electron native notify package (6/4/19)
  • Can call node built it modules to read a file and send it over the network
  • Targetted cryptocurrency

Options for solution

  • Write everything yourself – not scalable
  • Pay open source maintainers so someone responsible for security – people make mistakes. Even people who are paid can compromise a system
  • Code audits – don’t see everything, Hard to find clever 

Other approach

  • Preventing attacks requires infallability
  • Better to look for ways to limit damage
  • For example, would be better of if can’t import fs
  • JavaScript is good at code isolation. Clear separation between pure computation and connection to outside world

Realms – draft proposal

  • Want to be able to create realm without overhead of an iframe
  • Featherweight compartment – shares primordials/context
  • There is a realm shim now
  • Self/window not defined in the compartment

Attack – prototype poisoning

  • Save copy of original function
  • Do something bad first and then call original function so it looks right
  • SES (Secure ECMAScript)  – realms + transitive freezing/hardening
  • Can’t change prototype behavior with SES
  • npm install ses
  • SES.makeSESRootRealm()


  • Principle of least authority
  • Same as principle of least privilege
  • Reasonable to want to access file system. Can attenuate (reduce the impact of) access by wrapping fs with check for correct file name. (Not clear how prevents using original fs). Method harden protects
  • The chalk package needs process/OS access to change color
  • But can kill process and change priority of process with that access
  • Want to limit access to just what needed
  • Chalk only needs OS to get the release. Can attenuate so just have that one function to return release string.
  • Object capabilities – http://habitatchronicles.com/2017/05/what-are-capabilities/

Moddable XS

  • Only completed ECMA Script 2018 engine optimized for embedded device
  • Contains SES
  • Safe for users to install JS apps
  • Can only do specific things
  • Can add own app to washing machine

Metamask’s Sesify

  • Ethereum wallet
  • Can run Ethereum apps in browser without running full Ethereum node

Salesforce’s Locker Service

  • One of primary co-authors of Realms and SES
  • Plugin platform

Caveats for Realms

  • Work in progress
  • Have to stringify to use
  • Still in draft


  • What if add something bad? https://ocapjs.org/t/tofu-trusted-on-first-use-tool/27 Putting something bad in wrapper would show up in diff/code review.
  • How SES different than Object.freeze? Object.freeze only freezes that instance and doesn’t go up prototype chainĀ 
  • How know what functions/authorities need to provide to packages? Still developing patterns of use. For now might be trial and error. Might need changes to module.
  • Why don’t we hear about npm install attacks in other languages? Still have problems. Java can’t protect [I raised my hand and described how Sonatype helps protect Maven Central]. Worse on JavaScript because lots of tiny packages. Visibility will help in future.
  • Will this be bolted on to web frameworks? Hasn’t yet, but hope will happen.

My impressions

While I was aware of the problem, the solution (or future solution) is really interesting! She left lots of time for Q&A which was nice after yesterday. [My track didn’t have much time for Q&A in most sessions]

JavaOne – you got your browser in my virual machine

“You got your Browser in my virtual mchine! Leveraging sophisticated browser programming modes in your Java applicaion”

Speaker: Ean Schuseller

For more blog posts from JavaOne, see the table of contents

He started by showing a video of the Sophia (and Einstein) robots. They look surpisingly humanoid. Not the video but this is the robot. Relevant in that we need better interfaces than have now. Future: “that was the best customer service person; very patient and immune to me getting angry”

Web Extensions

  • Plugin for browser
  • Needed to use C in the past
  • Browser agnostic APIs
  • Write in JavaScript
  • Have access to browser components like history and open pages
  • Works on Firefox, Chrome, Opera and Edge. Works a bit different on Edge” [not safari yet]
  • Contains manifest.json, html and javascript code for UI, background js (runs when browser opens and state stays until close browser) and content js (what see)

Isomorphic Apps

  • Code that can run on both client and server
  • Ex: Validation logic, business logic

JavaScript in your server
Nashorn is faster in Java 9
[glad I wrote the “throwaway” chapter on Nashorn for our book. Learned a lot]


  • WebWorkers –
    Don’t want intensive logic in main UI thread. WebWorker runs message/task in background.
  • indexedDB transactional persistent data store

It takes a lot to get users to install an app because of trust. Web/online mobile “apps” continue to grow as get more powerful. Will need to have reall good reason to have an app. [irony wih the JavaOne conference app?]

Evolution in JavaScript
Frameworks, immutables reactive, functional programming, etc. Lots of ibraries. Now that more mature, Java can cherry pick from JavaScript.


    React – UI model from Facebook. Very data intensive programming
  • Reducers – Virtual DOM is rerendered based on state change and then diffed against real DOM
  • Redux – extends to single immmutable state. reducer functions “modify” state
  • Helps debugging/testing because can replay actions from older state. Also helps with undo because can just go back a few states

Filter Bubble

  • Cognitive bias from friends, reading, etc. Disagreeable facts never reach us
  • Social networks and search enginges feed us information they think we will like. Not even concious of the bias. Disparity – they know more than you about what you see
  • You trust your spam filter – it controls whether you see a message
  • Filter Bubble web extension – determines where you spend time so you know too. Uses word frequency analysis

My take: Nice to see Oracle is open minded about having JavaScript content at JavaOne. There was even a bit of Java in this talk. Good first session. A mix of things that I didn’t know, things that I knew at one point and forgot. Plus some things I know. Happy to start the day with learning!

Wikipedia SOPA Protest Easy Workaround

After hearing all the media buzz around Google and Wikipedia protesting SOPA, I expected to go to Wikipedia’s website and see the entire website disabled. To my surprise, the Wikipedia worked just fine for me this morning. I asked friends and colleagues if they could access Wikipedia and they could not. Then I realized the reason… I use a JavaScript blocker that requires me to enable JavaScript per-site and Wikipedia’s block amounts to a post-load JavaScript hack. Simple and easy to implement, but also easy to defeat.

If you want to continue using Wikipedia today, install a JavaScript blocker into your browser and set it to block anything from “wikimedia.org”. In Firefox, I recommend NoScript and in Google Chrome I recommend NotScripts.

I fully support Google and Wikipedia in their efforts to block SOPA. I just found it interesting that Wikipedia’s block implementation was so trivial, anyone could get around it and access the website as normal. Once you finally do enable JavaScript the page looks like this: