Re: POLA Would Have Prevented the Event-Stream Incident
It's a great read and it makes sense in some case, but it also reminds me too much how Android Apps, and their incremental permission model, work.
If an App had granted access to read or write files, and the company behind such App changes, or its developers change, the permission remains but what it is used for, becomes uncertain.
In that case, the Store supposed to be the filter to grant the new version of the app doesn't do anything malicious, and that is IMO what's missing in the `npm` world, which is more relevant than dropping global privileges, 'cause specially in the NodeJS world, most module need `fs` for a reason or another.
In those cases, POLA wouldn't make much of a difference, unless the permission is not for the usage the `fs` module, rather the directories such module should be able to crawl.
On the Web there are already various ways to secure the network, and CSP or CORS are just few. In NodeJS though, there are also native modules nobody looks even at their source code, and having a "trusted revision" per each version, open to every module author might be, as impractical as it sounds, the best option to avoid future issues.
I think the event-stream case showed many broken rings of the Open Source chain and no-one to blame for it 'cause such chain is knowingly broken but we're OK with it.
As mentioned in a tweet, since that "scandal" happened, people kept adding stars to projects I've officially deprecated, providing more recent, robust, and actively maintained alternatives.
Maybe I should just pass ownership of these modules (one of these has 13M downloads per months) and laugh at how much nobody learns anything from the past if something like event-stream happens again (no, I'm not planing to do that, but I often wonder if I should).