> If NPM/Github were being responsible here, they would make package owners re-upload clean copies of anything which hasn't been touched since before the start of their audit logs.
I’m surprised more isn’t being said about this part. Any stale dependency is now untrustworthy and they all need a version bump to prove provenance. This is potentially something GitHub could protect against server-side for everybody or build into NPM. They know if a version was published before this date and can stop people from using them.
It should be possible to generate a list of package versions uploaded before September 2020, sorted by number of weekly downloads, to empower users of those packages to upgrade to a newer version (if there is one) or file an issue against that package asking for a release of a new patch version (if there isn't).
Unfortunately, the number of weekly downloads wouldn't give much indication of how many people were affected, since some of the downloads will be by bots or eager CI systems, and some organisations cache packages locally after the first download.
That's great, thank you! Does it check recursive dependencies, and could you make it work against a package you haven't installed yet, by specifying the package name as an argument, rather than it only looking at what's already installed?
If that's possible, it would be really good to then run it against a list of popular packages, like [1] or [2], and report back which packages are the highest priority for getting version bumps (or at least for having someone manually check that the code in the package matches the code in its repo, which we assume an attacker didn't have control over).
It's cynical, I know, but can't keep from wondering whether your npm package has already been compromised by another hidden flaw to prevent us from finding out which older ones are at risk?
I’m surprised more isn’t being said about this part. Any stale dependency is now untrustworthy and they all need a version bump to prove provenance. This is potentially something GitHub could protect against server-side for everybody or build into NPM. They know if a version was published before this date and can stop people from using them.