Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A path towards securing every module

A path towards securing every module

Static analysis, npm, and security. Presented at NodeSummit 2015.

Charlie Robbins

March 10, 2015
Tweet

More Decks by Charlie Robbins

Other Decks in Technology

Transcript

  1. SHOW YOUR ALMA MATER SOME LOVE AND YES WE WROTE

    A FORMAL RESEARCH PAPER AND EVERYTHING
  2. USED MOST INFREQENTLY MOST EFFECTIVE THE FEEDBACK MECHANISMS  GITHUB

    ISSUES  WRITE A BLOG POST  TWITTER DISCUSSIONS  EMAIL A MAILING LIST
  3. USED MOST INFREQENTLY MOST EFFECTIVE THE FEEDBACK MECHANISMS  GITHUB

    ISSUES  WRITE A BLOG POST  TWITTER DISCUSSIONS  EMAIL A MAILING LIST HOW DO WE A QUESTION LIKE THIS? BUT ANSWER
  4. A B C D E 1 2 3 4 5

    A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E
  5. A B C D E 1 2 3 4 5

    A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E GRAPHS THESE KINDS OF
  6. A B C D E 1 2 3 4 5

    A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E THESE GRAPHS DIFFERENT, OF COURSE ALL OF ARE
  7. A B C D E 1 2 3 4 5

    A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E UNDIRECTED DIRECTECTED WEIGHTED TREES BIPARTITE
  8. A B C D E 1 2 3 4 5

    A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E UNDIRECTED DIRECTECTED WEIGHTED TREES BIPARTITE TRANSPORATION NETWORKS INFORMATION NETWORKS MOLECULAR CHEMISTRY WIRELESS NETWORKS MAJOR LEAGUE BASEBALL DEPENDENCY MANAGEMENT
  9. A B C D E 1 2 3 4 5

    A B C D E F A B C D E A B C D E F G H 6 2 8 7 9 5 7 -3 A B C D E UNDIRECTED DIRECTECTED WEIGHTED TREES BIPARTITE TRANSPORATION NETWORKS INFORMATION NETWORKS MOLECULAR CHEMISTRY WIRELESS NETWORKS MAJOR LEAGUE BASEBALL DEPENDENCY MANAGEMENT SOUNDS COMPLICATED FOR my tastes. DEPENDENCY GRAPHS? I dont know
  10.  WITH A PACKAGE.JSON FILE { "name": "pkg-a", "dependencies": {

    "pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }
  11.  WITH A PACKAGE.JSON FILE na { "name": "pkg-a", "dependencies":

    { "pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }
  12.  WITH A PACKAGE.JSON FILE nb nc nd na {

    "name": "pkg-a", "dependencies": { "pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }
  13.  WITH A PACKAGE.JSON FILE nb nc nd na {

    "name": "pkg-a", "dependencies": { "pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }
  14.  WITH A PACKAGE.JSON FILE nb nc nd na Now

    imagine this for 100,000+ packages! { "name": "pkg-a", "dependencies": { "pkg-b": "~1.0.4", "pkg-c": "~2.1.3" }, "devDependencies": { "pkg-d": "~3.1.2" }, "main": "./index.js" }
  15. 5 5 DR. EMMETT OCTOCAT SAYS YOU VE GOT TO

    COME BACK WITH ME. BACK TO GITHUB! ’ “ ”
  16. 5 5 DR. EMMETT OCTOCAT SAYS YOU VE GOT TO

    COME BACK WITH ME. BACK TO GITHUB! ’ “ ”  indexzero/npm-codependencies  indexzero/npm-comp-stat-www  indexzero/npm-static-stats  indexzero/npm-pipeline
  17. YO DAWG I HEARD YOU LIKE NPM BY USING OF

    COURSE ALONG WITH DATA PIPELINE A
  18. A B C D E F A B C D

    E F G H DEPENDENCY GRAPH AST COMPUTATION DOWNLOAD & UnTAR
  19. A B C D E F A B C D

    E F G H DEPENDENCY GRAPH AST COMPUTATION DOWNLOAD & UnTAR DATA PIPELINE ANALYSIS WORK MODULES THE SET OF AND THE SPECIFIC CHANGES BUT, THE Stays the same DATA PIPELINE MAKING IT HIGHLY PARALLELIZABLE