True not true.. npm installs... extention installs ... or 3rd party scripts.... DO we actually check them....???!!! Even just "extensions" from other Wapplers...(non-official Wappler extentions). Yes they make our lives so much easier.. because somebody else did our work for us... BUT.... who actually check these scripts to make sure they are legit... as we just install stuff....Just some 2 of the cases ...

++++++++++++++++++

In March 2016, developer Azer Koçulu removed a JavaScript package called “left-pad” from the NPM repository. The module had just 11 lines of code and added characters to the left of a string, like turning “7” into “007”.

Despite its simplicity, “left-pad” was a critical dependency in thousands of projects, including Babel, React, and Webpack. Its removal triggered widespread installation and deployment failures, affecting companies like Facebook, Netflix, and Spotify.

The incident disrupted parts of the web ecosystem for hours. NPM restored the package urgently, sparking debate over the fragility of open-source software and governance in public repositories.

+++++++++++++++++++++++

This Developer Lost $500,000 While Coding in Cursor - I Explain Why

A blockchain developer lost $500,000 of cryptocurrency due to a malicious extension in the Cursor IDE. In this video, I detail the developer's journey, the attack's mechanics, and how the malicious code infiltrated his development environment. It explains the vulnerabilities in the Cursor extension marketplace, how attackers exploit these gaps, and offers practical strategies for developers to safeguard against such threats.

Another interpretation if this is that the web is dependent on 3rs party extensions and they are an essential part of the ecosystem.

Somewhat suprised at these "catastropic failures" as npm contents are copied to your source on install so simple removal of the npm should not break them.
If you really want to break thinks then releasing a broken update is the way to go, assuming the developer installs updated updates without checking.
So yes, there is an issue as there is with any software (even the team break Wappler occasionally) but any developer, using git or similar technologies coupled with proper local testing before releasing to production should mitigate any issues.

Also if npms are MIT licence or similar, you are allowed to download a copy from npm so if there is an issue you can simply publish your own version.

However i personally am cautious of using other than official or well respected npms.

Maybe a bit of "sensationalism" in those articles.

The simple answer is that in the case oft something like left-pad, it's not really going to effect a solo dev who's running a single instance of a site.

There's been a few of these NPM deletion episodes over the last couple of years, a few that took down big sites. From what I recall and understand, these failures mostly happened because they couldn't spin up new servers for load-balancing, because of the missing NPM, which then caused the load to overwhelm the servers that remained up. This isn't something git would resolve, because you aren't and shouldn't be pushing the node_modules folder. Likewise, you wouldn't be copying this folder over when doing load balancing, you'd be installing each time.

In terms of the Wappler ecosystem, installing an extension copies files over to the extensions' folder, so theoretically an extension being deleted wouldn't cause an issue unless you had to NPM I again, but you could just remove it from the package.json, and you'd be fine since the files are still in the extensions' folder.

However, that still poses the same issue of if you're loading balancing and constantly spinning up and spinning down servers, you'll have the same issue because you'll error out. Likewise, if one of the NPM packages Wappler depends on gets deleted, you'd have the same issue.

That said, since the left-pad incident, NPM did make some changes, and I think it's safe to say the vast majority of Wappler users are not using dynamic load balancing on their sites, so deleted packages probably aren't something you really have to worry about too much.

In terms of Malware, well, I guess that's a whole conversation in itself, but really it comes down to what would happen if you downloaded malware to your own system from anywhere?

but in theory..... if somebody a new member.... creates a free Wappler extention for everybody to use.. that is very useful ... and nobody actually checks the "code" within it... even if its does what it states... it could still do what happened in the "article" - This Developer Lost $500,000 While Coding in Cursor - I Explain Why.....

as the extention is not a npm ,.... and will run everything you run that "request" where that extention are being used... let just say... "wait time extention" or "image resizer" or whatever...

im not saying that Wapplers will do this.. but if i just randomly download a free extention because its going to make my life easier.. without checking the code.. then i might just open myself to a problem... just asking ... playing the Devils Advocate..

If you have an app with that sort of turnover and dont check the code and make no fallback provisions (npms can be downloaded in full to a zip file) one would have to start using term like reckless and incompetent.

Absolutely, and it's important you do, this is a big issue.
Also, platforms can be an issue. I just found, literally this morning, my extensions do not install correctly in a docker environment (i normally use VPS and FTP).

Large scale npms of the type typically released by big companies, for example Onesignal or twillio and core components like fetch or larger components like axios, i dont check but smaller developments, i do and have excluded them from many of my extensions due to poor coding, trivial content or suspicious code.
I guess what i am saying is yes, there is a risk but if you are a serious developer producing large scale or mission critical apps then part of the development process needs to be checking "community extension's" code if you need to use them and maintaining zip backups of npms so you can quickly republish them to get your project up and running in the event of disaster.
In my opinion it's lazy project management to blindly use a community extension without a fallback plan.
And remember, if permitted by the licence (most seem to be MIT), you are permitted to copy an npm and republish your own private version or produce a fork.

Actually this may be a bigger issue for some users than i realised in some cases.
Just been discussing docker issues in another post.
Not using docker, i did not consider that docker rebuilds the node_modules file on deploy so docker users may be more adversly affected compared with VPS/FTP users.

Yes but you are only using those packages you specify within package.json. Also remember that npm audit (free) is there to run if you suspect any vulnerable packages. Then if you want to be really sure you can always look at Socket (free version available) which is a great solution for monitoring for compromised packages (supply chain attack vectors). On top of that grab a copy of Zabbix to monitor the overall performance of your application (free version available). The thing is it is our responsibility as Developers to consider these things. Best to be proactive and not reactive. If you don't consider these potential threats when you deploy, then if you get compromised, there is no one else to blame essentially... In this day and age there is no excuse for ignoring security as it is more accessible than ever before. So don't ignore it.