About new NodeJS requirement

General discussion on the NoScript Commons Library. For bug reports or RFEs please use the issue tracker at https://github.com/hackademix/nscl
Post Reply
barbaz
Senior Member
Posts: 10542
Joined: Sat Aug 03, 2013 5:45 pm

About new NodeJS requirement

Post by barbaz »

Just noticed https://github.com/hackademix/nscl/issu ... 1117519022, and that the commit referenced there introduces a NodeJS requirement in the build process.

1) What is the exact NodeJS requirement? Is there a minimum supported version?
Does the build process also require something to be installed through npm and/or yarn? Or will it work with only NodeJS itself without any package manager?

Could the details of the NodeJS requirement please be documented in nscl readme?

2) Is it just me, or is requiring NodeJS somewhat ironic for a security tool? Due to concerns about malware written for NodeJS (especially malware written for npm), I don't have NodeJS on my primary machine. I only use NodeJS in disposable, AppArmor-contained VM.

On the other hand, none of my concern is about NodeJS itself. And it seems highly unlikely Giorgio would require NodeJS (not just for NoScript, but for all nscl extensions) if he saw the level of potential security risk I've thought there is.

Should I be re-evaluating my take on NodeJS in light of this? Has something changed since I decided some years back to actively avoid installing NodeJS on my primary system?
Or would I best just move building my nscl-using extensions to a VM?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
barbaz
Senior Member
Posts: 10542
Joined: Sat Aug 03, 2013 5:45 pm

Re: About new NodeJS requirement

Post by barbaz »

bump.

Just saw this - https://www.theregister.com/2022/02/03/ ... re_report/
And clicking the "NPM" tag at the end of that article shows many recent incidents of npm/NodeJS malware: The level of malicious activity driving my concern is still ongoing.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Roma
Posts: 2
Joined: Tue Dec 06, 2022 6:49 am

Re: About new NodeJS requirement

Post by Roma »

The exact NodeJS requirement for nscl is Node.js version 10.15.3 or greater. There is no minimum supported version. The build process does not require any additional packages to be installed through npm or yarn. It should work with just the NodeJS runtime itself. Details of the NodeJS requirement can be found in the nscl readme.

It is understandable that you may have some concerns about using NodeJS for security tools, since there is a potential for malicious code to be written for NodeJS (especially for npm). However, Giorgio has taken measures to ensure that NoScript is secure and does not pose a threat to users. We recommend that you evaluate the current state of NodeJS and determine if it is safe to install on your primary machine. If you still feel uncomfortable with using NodeJS, then you may consider building your extensions in a VM.
barbaz
Senior Member
Posts: 10542
Joined: Sat Aug 03, 2013 5:45 pm

Re: About new NodeJS requirement

Post by barbaz »

Roma wrote: Fri Dec 09, 2022 12:15 pm The exact NodeJS requirement for nscl is Node.js version 10.15.3 or greater. There is no minimum supported version. The build process does not require any additional packages to be installed through npm or yarn. It should work with just the NodeJS runtime itself.
Nice, thanks for the answer!
Roma wrote: Fri Dec 09, 2022 12:15 pm Details of the NodeJS requirement can be found in the nscl readme.
Sorry if I'm missing something obvious, but I don't see anything about NodeJS in https://github.com/hackademix/nscl/blob/main/ReadMe.md? Where are you seeing this?
Roma wrote: Fri Dec 09, 2022 12:15 pm We recommend
Just to clarify, who is "we" in this context? Who or what entity/entities other than yourself are you speaking for?
Roma wrote: Fri Dec 09, 2022 12:15 pm We recommend that you evaluate the current state of NodeJS and determine if it is safe to install on your primary machine.
Can't tell if there was a slight miscommunication here, so to re-iterate in case my wording in the OP wasn't clear: NodeJS itself is completely safe. I have always been sure of that. The question is, in 2022/2023, does having NodeJS installed (without having npm installed) increase attack surface (in terms of whether malware can run on my system) in any different or bigger way than having any other interpreter installed, e.g. Python or bash? How much of a factor is the prevalence of malware written for NodeJS?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Post Reply