Realistically, package managers are necessary in real-life production environments.
Is there a way to prevent this kind of package manager supply chain attacks?
Python's pip has support for repeatable installs and secure installs by comparing the checksums of the downloaded packages against a local list of checksums.
https://pip.pypa.io/en/stable/topics/repeatable-installs/
https://pip.pypa.io/en/stable/topics/secure-installs/
In the Java world, Maven Central could be the single point of failure. Maven verifies checksums, but those checksums are obtained from the same source as the packages. Hackers could replace legitimate packages with malicious ones, and replace legitimate checksums with the checksums of the malicious packages. No warnings or errors when the user downloads the malicious package because the checksum would be "correct".
The situation is even worse in the Common Lisp world. Quicklisp downloads over HTTP and doesn't even verify checksums. Quicklisp is stuck in the 20th century, just like Common Lisp.
As for Scheme, it has no widely used package managers to speak of ...
How is the situation in the Node.js world? What methods can JavaScripters use to avoid these supply chain attacks? I heard that the best practice is to use npm ci
instead of npm install
.
Short of using a self-hosted package repository where you manually vet every package, I think the best way to avoid these attacks is to use version pinning for all dependencies. Each listed dependency should also have a locally stored checksum for verification after downloads.