Yarn, introduced on Tuesday under a BSD license and without the patent clause that terminates Facebook’s React license for those involved in patent litigation against the company, is an alternative npm client. It’s not to be confused with Apache Hadoop YARN (Yet Another Resource Negotiator), which is cluster management software.
Package managers help developers by automating the installation, configuration, and management of libraries, frameworks, and other software components. They’re used in Python (pip), PHP (PEAR), Perl (CPAN), Ruby (RubyGems), and Rust (Cargo), among other programming languages.
At Apple’s Worldwide Developer Conference this year, Ted Kremenek, senior manager of languages and runtimes, described the Swift Package Manager as “fundamental to Swift and its long-term success.”
Facebook’s Sebastian McKenzie, Christoph Pojer, and James Kyle in a blog post explain that the company has been using the npm client for years, but has run up against problems with package consistency, security, and performance. Yarn addresses dealing with dependencies at scale, but it should also be useful for smaller development operations.
“After trying to solve for each issue as it came up, we set out to build a new solution to help us manage our dependencies more reliably,” the trio said. “The product of that work is called Yarn – a fast, reliable, and secure alternative npm client.”
Yarn’s speed comes in part from caching – so that downloaded packages don’t need to be downloaded again – and from parallelization. Its reliability stems from its use of lockfiles and a deterministic installation algorithm that ensures that installations happen the same way on different systems. And its security follows from checksums performed on every package before installation.
But support for features that enhance security should not be mistaken for lack of potential security issues. Earlier this year, Nikolai Tschacher, an undergraduate student at the University of Hamburg, presented a thesis titled “Typosquatting in Programming Language Package Managers.”
Tschacher’s research paper explains how he was able to force more than 17,000 computers to run arbitrary code by submitting compromised packages to package registries, npm among them, with names almost identical to popular software packages.
Tschacher concludes that package managers are vulnerable to such attacks, that such attacks can be found in the wild, and that while defenses exist, they’re not commonly employed.
In an email correspondence with the The Register in June, Laurie Voss, COO and cofounder of npm, the company overseeing the npm software, characterized the typosquatting risk as small. He said that the ~600 npm installs Tschacher counted over several days represented just 0.02% of the number of npm sessions in a single day, and that the research didn’t account for automated package installation done for mirroring.
Perhaps more significantly, typos aren’t nearly as common when using a package manager as they are when using a web browser.
“Like most package managers, most npm package installations are not the result of a human typing in a name: Usually the packages come as part of a manifest, such as npm’s package.json, so the majority of package requests have no chance of a typo,” said Voss, who suggested the chance of a compromise is “so rare an event as to be not worth an attacker’s time, even at our current scale.”
But there are other potential security issues. Doubts about the security of the SHA1 algorithm, used to compute checksums for npm package integrity, were raised several years ago in light of the crypto community’s warning that SHA1’s days are numbered.
Responding to those concerns in a Github issues thread earlier this year, npm software engineer Forrest Norvell dismissed the potential weakness of SHA1 because it’s not used for identifying the source of files. However, he acknowledged that “npm doesn’t have a strong notion of provenance for files distributed via the registry.”
This doesn’t mean Yarn or npm face significant security issues. But it suggests that more attention will need to be paid to file integrity and file provenance as npm usage grows.