Dev News: npm Attacks, htmx Updates and Flutter’s Roadmap
A denial of service attack happened briefly after three attackers flooded the npm open source package repository for Node.js with bogus packets, according to Hacker News.
The attackers created malicious websites and published empty packets with links to the websites, “taking advantage of open source ecosystems’ good reputation on search engines,” Checkmarx’s Jossef Harush Kadouri said in a blog post about the attacks.
“The attacks caused a denial-of-service (DoS) that made npm unstable with sporadic ‘Service Unavailable’ errors,” he noted. “The campaigns included a malware infection campaign, a referral scam campaign linked to AliExpress, and a crypto scam campaign targeting Russian users on Telegram.”
This was the worst month for attacks on the open source ecosystems in the past year, but March was by far the worst one we’ve seen yet, Kadouri said.
“Typically, the number of package versions released on npm is approximately 800,000,” Kadouri said. “However, in the previous month, the figure exceeded 1.4 million due to the high volume of spam campaigns.”
Htmx Releases Version 1.9.0
- Support for view transitions, which is “based on the experimental View Transitions API currently available in Chrome 111+ and coming to other browsers soon,” the post noted;
- “Support for ‘naked’ hx-trigger attributes, where an hx-trigger is present on an element that does not have an hx-get, etc. defined on it. Instead, it will trigger the new htmx:triggered event, which can be responded to via your preferred scripting solution”; and
- Support for generalized inline event handling via the new hx-on attribute, which the blog post notes will address the shortcoming of limited onevent properties attributes in HTML.
Python Foundation Says EU Acts Could Create Risk for OSS
The Python Foundation is worried that two proposed European Union acts could create risks for open source software.
The foundation stated that while it agrees with the stated goals of the policies of increased security and accountability for European software consumers, it fears the overly broad policies in the Cyber Resilience Act and Product Liability Act “will unintentionally harm the users they are intended to protect.”
“Many modern software companies rely on open source software from public repositories without notifying the author, and certainly without entering into any kind of commercial or contractual relationship with them,” wrote Deb Nicholson, executive director of the Python Foundation. “If the proposed law is enforced as currently written, the authors of open source components might bear legal and financial responsibility for the way their components are applied in someone else’s commercial product.”
Under the current language, the foundation could be potentially liable for any product that includes Python code without have received any monetary gain from these products. That risk of potential costs would make it “impossible in practice for us to continue to provide Python and the Python Package Index to the European public,” she wrote.
She noted that the existing language does not differentiate between independent authors who have never been paid for the supply of software, and big corporations that sell products for end-users.
“We believe that increased liability should be carefully assigned to the entity that has entered into an agreement with the consumer,” Nicholson added.
Flutter Framework Roadmap Released
The Flutter team released its roadmap for 2023 this month. Tim Sneath wrote about the news on Medium. Sneath is a project manager and UX director for developer frameworks and languages at Google. That includes overseeing Flutter, which is an open source portable UI framework that gives developers the ability to build apps for any platform from a single codebase.
Flutter builds on Dart, a multiplatform language that enables “cornerstone Flutter features that include stateful hot reload; fast, iterative compilation to native and web; and a thriving package ecosystem,” the documentation states.
The document notes that over the coming years, the framework faces a number of challenges, including migrating the ecosystem to null safety without fragmentation and binding an ecosystem that is self-sustaining.
Still, Sneath writes that the platform has a competitive edge in that it has long focused on developer experience as a fundamental value.
- security, and
Google eventually plans for Flutter to work with Wasm.