Episode 361: JSJ 357: Event-Stream & Package Vulnerabilities with Richard Feldman and Hillel Wayne

JavaScript Jabber

• Episode: Episode 361: JSJ 357: Event-Stream & Package Vulnerabilities with Richard Feldman and Hillel Wayne
• Website: JavaScript Jabber
• Feed URL: https://feeds.feedwrench.com/JavaScriptJabber.rss
• Duration: 01:10:16
• Published: 2019-03-26 11:00

Sponsors

• Triplebyte
• Sentry use the code “devchat” for $100 credit
• Clubhouse
• CacheFly

Panel

• Aaron Frost
• AJ O’Neal
• Chris Ferdinandi
• Joe Eames
• Aimee Knight
• Charles Max Wood

Joined by special guests: Hillel Wayne and Richard Feldman

Episode Summary

In this episode of JavaScript Jabber, Hillel Wayne kicks off the podcast by giving a short background about his work, explains the concepts of formal methods and the popular npm package - event-stream, in brief. The panelists then dive into the recent event-stream attack and discuss it at length, focusing on different package managers and their vulnerabilities, as well as the security issues associated with them. They debate on whether paying open source developers for their work, thereby leading to an increase in contribution, would eventually help in improving security or not. They finally talk about what can be done to fix certain dependencies and susceptibilities to prevent further attacks and if there are any solutions that can make things both convenient and secure for users.

Links

• STAMP model in accident investigation
• Hillel’s Twitter
• Hillel’s website
• Richard’s Twitter
• Stamping on Event-Stream

Picks

Joe Eames:

• Stuffed Fables

Aimee Knight:

• SRE book - Google
• Lululemon leggings
• DVSR - Band

Aaron Frost:

• JSConf US

Chris Ferdinandi:

• Paws New England
• Vanilla JS Guides

Charles Max Wood:

• Sony Noise Cancelling Headphones
• KSL Classifieds
• Upwork

Richard Feldman:

• Elm in Action
• Sentinels of the Multiverse

Hillel Wayne:

• Elm in the Spring
• Practical TLA+
• Nina Chicago - Knitting
• Tomb Trader

Special Guests: Hillel Wayne and Richard Feldman.