jprdonnelly/uWebSockets.js
1
0
Fork 0
mirror of https://github.com/uNetworking/uWebSockets.js.git synced 2025-12-23 21:06:05 -05:00
Code Issues Projects Releases Wiki Activity

Create npm.md

Browse Source
This commit is contained in:
uNetworkingAB
2024-06-14 10:34:44 +02:00
committed by GitHub
parent 21985421e4
commit fb2ec3eee5
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
misc/npm.md Normal file
View File

@@ -0,0 +1,45 @@
# Addressing Claims of Conspiracy to Commit Crimes under the Computer Fraud and Abuse Act (CFAA)
Since 2018, uWebSockets.js has been published on GitHub, secured with cryptographically verifiable SHA-1 hashes using Git SCM. Our network includes over 500 third-party clones. Each binary release comes with its own SHA-1 reference of the compiled source code, and the source code lists the compilation flags used.
* uNetworking AB is a Swedish joint-stock company (number 559183-0558). Sweden is known for its transparency and rigorous bureaucracy.
### Recommended Installation
You can install uWebSockets.js using the NPM client with the following command:
```bash
npm install uNetworking/uWebSockets.js#v20.43.0
```
Alternatively, you can use the SHA-1 hash directly:
```bash
npm install uNetworking/uWebSockets.js#1977b5039938ad863d42fc4958d48c17e5a1fa06
```
Using SHA-1 hashes ensures the integrity and authenticity of the software, providing an additional layer of security. You can also fork the entire repository to your own organization, allowing you to hold your own copy. This can be done with a single button click on GitHub, giving you full control over the software.
### Social Media Influence and Perceptions of Security
Occasionally, some NPM advocates express concerns about projects not fully integrated into the NPM registry, perceiving them as less secure. However, while the NPM registry has numerous security vulnerabilities, no one has proven any instance of our supposed "release tampering" or other conspiracies here on GitHub.
We've moved from an era where ideas required logical proof to one where beliefs are often driven by social media sentiments.
### Notable Security Incidents on NPM
* **Event-Stream (2018)**: Compromised after transfer to a new maintainer who injected malicious code to steal cryptocurrency.
* **UAParser.js (2021)**: Hacked to inject code for mining cryptocurrency and installing trojans.
* **coa & rc (2021)**: Compromised with malware due to dependency chain vulnerabilities.
* **Colors & Faker (2022)**: Maintainer introduced an infinite loop to protest exploitation by large corporations.
* **node-ipc (2022)**: Altered to contain malicious code deleting files on Russian and Belarusian systems.
* **ESLint (2018)**: Malicious package published that exfiltrated environment variables, including credentials.
* **Left-Pad (2016)**: Unpublishing caused widespread disruption, highlighting dependency ecosystem vulnerabilities.
### Why We Avoid Centralization
We choose not to publish on NPM to maintain full control over our software, especially in legal matters such as GDPR or DMCA claims. This autonomy ensures we can manage releases according to legal requirements, though it has never been necessary so far.
Our experiences with NPM support have been negative, with poor responses to our DMCA claims and a tendency to prioritize site policies over the law. We cannot trust or rely on such a system.
Maintaining control allows us to comply with the law and manage our software effectively without external interference.