Victor Adossi (May 20 2026 at 03:38): Victor Adossi (May 20 2026 at 03:38):Hey all, so it looks like some links in supply chains are about as strong as wet paper these days.
At least for the packages in the JS ecosystem I'm currently moving Jco to pnpm since it has the most complete set of prevention mechanisms -- most important of which I think is being able to allow-list programs that can execute scripts at install time.
Basically, one of the main problems is automatically executed build-time scripts and their ability to do anything. Rust technically has this same problem (build.rs) with no solution at present (not even the ability to allow-list crates from running build.rs scripts), or some crate update delay mechanism. The Rust ecosystem is somewhat safer for other reasons, but it is unsafe (just must less frequently exploited) for many of the same reasons.
Anyway, the point of this thread is to let anyone know -- if you've got a JS codebase and it isn't on pnpm, I think it might be worth considering moving it to pnpm -- there are other benefits (some objective, some subjective), but at this point it's the tooling that makes security the easiest to opt-in to right now.
AFAICT virtually no other well-used language ecosystem is technically protected from this threat, and most are somewhat resilient just due to sheer difficulty of making packages, or the diligence of users around dependencies, etc... But we can probably do better than that.
Very interested to see what other ecosystems have as well -- for example uv in the python world has build isolation as a deafult which is good but I assume pip may not.
Victor Adossi (May 20 2026 at 04:00):Oh BTW for those thinking it -- Wasm is definitely a long term answer here (I might even be so bold as to say the "right" or "best" answer here given current options), but there was progress made on macros via Wasm, which got explored in a GSoC project and has not been picked up again since (?).
Would love to hear if there's anything I've missed on this/new developments worth discussing!
ktz_alias (May 20 2026 at 04:28):FWIW, I've been building jco from source with pnpm locally from time to time just for experimentation/testing.
In practice it only needed:
pnpm-workspace.yamlcrates/xtask/src/build/workspace.rsSo at least from my experience, the migration friction seemed pretty low.
Happy to share the exact diff if useful.
Victor Adossi (May 20 2026 at 04:34):Really appreciate the shout @ktz_alias -- I've been tussling with CI for a bit now to get it perfect.
We automate a lot of processes in Jco (release, updating related issues/PRs after one goes out, testing obviously, etc) so I've been a bit worried about breakages and it hasn't been all smooth sailing, but it's been straight forward. so far, just a slow loop!
It's almost all running now btw, biggest issue leftt is the conformance tests (p1 tests, etc) -- they are not properly installing in CI, and some ENV is somehow missing.
Last updated: Jun 01 2026 at 09:49 UTC