This Week on npm v20181130: event-stream, qs, snapdragon-node

It's been a wild week in the JavaScript community with the event-stream controversy. A clever hacker offered to maintain the popular event-stream npm module, and pushed a patch release that added a malicious dependency designed to steal Bitcoin. The hacker then released a major version to cover their tracks. This GitHub issue was both entertaining and a little terrifying.

Vet and Track Your Dependencies

Many devs in this thread made the point that, since most OSS licenses don't provide a warranty, the responsibility falls on the consumer to verify the security of their code. For example, here's TJ's comments:

The question is, how are you supposed to vet your code when you have hundreds of upstream dependencies? As a consumer, how do you even find out about new releases that affect you? Most developers don't rely on event-stream directly, the most likely entry point would be gulp <= 3.2.4 and several gulp plugins. The hacker disguised this change as fixing a long outstanding feature request by adding a new package. So how do you check whether a dependency 2 levels removed from gulp is stealing your Bitcoin?

Here's a full list of the most recent releases for packages with more than 100k monthly downloads that depend on the compromised event-stream@3.3.6.

At JSReport, we're working to make tracking what's going on in your ./node_modules as easy as keeping up with the news. Our first product is our Slack integration that posts new releases, with changelogs, to a Slack channel in realtime. Next up, we're working on adding support for notifying your of releases to upstream dependencies in your semver range, and a weekly email integration for people who think Slack is too noisy.

This Week's Releases

Without further ado, here are the most popular packages that published new releases to npm this week. Like last week, we break down releases by major, minor, and patch.

Major

1) snapdragon-node@3.0.0: Class for creating AST nodes.

2) postcss-modules-scope@2.0.0: A CSS Modules transform to extract export statements from local-scope classes

3) postcss-modules-local-by-default@2.0.0: A CSS Modules transform to make local scope the default

4) postcss-modules-values@2.0.0: PostCSS plugin for CSS Modules to pass arbitrary values between your module files

5) array-back@3.0.0: Guarantees an array back

6) precss@4.0.0: Use Sass-like markup and staged CSS features in CSS

7) jest-fetch-mock@2.0.0: fetch mock for jest

Minor:

1) qs@6.6.0: A querystring parser that supports nesting and arrays, with a depth limit

2) string_decoder@1.2.0: The string_decoder module from Node core

3) mime@2.4.0: A comprehensive library for mime-type mapping

4) tough-cookie@2.5.0: RFC6265 Cookies and Cookie Jar for node.js

5) regjsparser@0.5.0: Parsing the JavaScript's RegExp in JavaScript.

6) hoist-non-react-statics@3.2.0: Copies non-react specific statics from a child component to a parent component

7) @angular-devkit/core@7.1.0: Angular DevKit - Core Utility Library

8) aws-sdk@2.363.0: AWS SDK for JavaScript

9) joi@14.3.0: Object schema validation

10) ps-tree@1.2.0: Get all children of a pid

Patch:

1) hoek@6.0.4: General purpose node utilities

2) expand-range@2.0.2: Fast, bash-like range expansion. Expand a range of numbers or letters, uppercase or lowercase. Used by micromatch.

3) electron-to-chromium@1.3.85: Provides a list of electron-to-chromium version mappings

4) caniuse-lite@1.0.30000912: A smaller version of caniuse-db, with only the essentials!

5) tapable@1.1.1: Just a little module for plugins.

6) webpack@4.26.1: Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

7) ast-types@0.11.7: Esprima-compatible implementation of the Mozilla JS Parser API

8) caniuse-db@1.0.30000912: Raw browser/feature support data from caniuse.com

9) http-proxy-middleware@0.19.1: The one-liner node.js proxy middleware for connect, express and browser-sync

10) tsutils@3.5.1: utilities for working with typescript's AST

snapdragon-node@3.0.0

You might be surprised that this week's biggest major release is a package that you've probably never used directly. The snapdragon-node module is a couple layers down from the popular micromatch glob matching library. If you use webpack or stylelint, snapdragon-node is 4 levels down: webpack -> micromatch -> snapdragon -> snapdragon-node. Don't panic, snapdragon-node@3.0.0 is not in snapdragon's semver range, so this release won't cause the next webpack npm install breakage.

However, this release highlights the challenge in vetting your npm dependencies on an ongoing basis. If there's a major release 4 layers down, some module may use * or >= and break your code even if you don't use semver ranges in package.json.

qs@6.6.0

The qs module is the query string parser Express uses. Express pegs an exact version of qs, so this release also likely will not affect you.

The primary new feature in this release is a new flag adding support for old Internet Explorer form encodings.

$ npm install qs@6.6.0
$ node
> const qs = require('qs')
undefined
> qs.parse('a=%A7')
{ a: '%A7' }
> qs.parse('a=%A7', { charset: 'iso-8859-1' }) // New in 6.6.0
{ a: 'ยง' }
>

Moving On

Event-stream not withstanding, this was a quiet week on npm with only 37,782 new releases between November 23 and November 30. How many of those affect you? Check out JSReport for Slack and keep up to date with the JavaScript libraries you depend on.