So, how secure is NPM ? I did install it and it started to pull code from many different sources. That concerned me. If a theme only uses a small number of NPM sources, why use many ? Why have them contained on a website ?
I went for Hugo because it was static, and have noticed for years the website abuse from attempts to insert SQ code into databases. So, static HTML was āsafeā, right ?
@bep - Thanks, yes a good read. In years well gone now, we always had a seperate testing environment, and only after a new release passed all the testing, was it implemented into the āproductionā environment.
Personally, I donāt feel comfortable with npm simply because it pulls code/scripts from many different sources. Who do we trust ?
@frjo - Yes it is all under the control of the theme developers. If Hugo can provide the options though, like it does now with modules, will the theme developers consider making `npmā an option ? Or is that simply not feasible ?
So, npm was added to the theme at one point in time. Possibly theme developers can consider adding `npmā in a modular sense, or use other methods to provide the end user with options ?
Any npm command thatās running outside of Hugo (e.g. Netlify runs npm ci by default) is out of control. I have thought about integrating npm more tightly into Hugo, but that has had the motivation of making it simpler, not more secure.
You could argue that the work Hugo has started with the hugo mod npm pack command is a step in the right direction, though.
My concerns about NPM is mostly:
It tends to encourage importing every little tool on the planet for the smallest of tasks; I have tested sites built with some static JS generators, and the dependency tree is in the thousands, which is impossible to do any sensible security review of.
It doesnāt seem to be very stable, so something that built fine two months ago, fails now for some mysterious reason that you need to do a StackOverflow search to figure out. One example: Iām not able to build the JS/CSS for the Hugo sitesā theme anymore. I have tried to figure it out, but I gave up. I could propably figure it out, but Iām instead in the process of rewriting it.
Yep, how do we ensure that tools outside of Hugo are safe/secure ? If it was an easy option to include or not npm, fine, but it doesnāt seem to be that easy. The author of this particular theme ( Can NPM be an opton ? Ā· razonyang/hugo-theme-bootstrap Ā· Discussion #515 Ā· GitHub ) has stated that all versions of this theme are built on top of npm modules/packages. Yet for end users that is totally transparent.
I agree with your concerns about NPM. Using it does pull in thousands of scripts, yet how many are used in a particular theme. Also whilst it may appear that the use of Hugo theme indicates the theme is āsecureā and well controlled under Github management, and at least some accountability by having a number of contributors, if a theme has NPM, then it could equate to actually being contributed by thousands of āauthorsā.
That changes my perspective, hence the concerns. In an ideal world, it would be great to know if a Hugo theme uses NPM in any particular stage of development. But how can that be indicated, and I realise that is beyond the scope of Hugo, and up to each Hugo theme developer.
Some sort of theme standards that may at least protect the theme users from loading (possible) malicious code onto their websites.
I assume that most theme developers/authors consider that if a theme doesnāt crash or break anything, then it is tested ? That it is safe ?
Are there reliable NPM audit tools ? In life, we are constantly faced with situations where the risks need to be evaluated. Yet it comes down to a personal choice no doubt.
Package npm - package manager for Node.js
Package node-is-npm - Checks if your code is running as an npm script
Package node-npm-bundled - Parses info on bundled dependencies
Package node-npm-package-arg - Parse the things that can be arguments to npm install
Package node-npm-run-path - Get your PATH prepended with locally installed binaries
Package node-npmlog - Logger with custom levels and colored output for Node.js
Package node-npmrc - Switch between different .npmrc files
Package node-validate-npm-package-license - Tells if a string is a valid npm package license string
Package node-validate-npm-package-name - Checks if a string is a valid npm package name
Package npm2deb - tool to help debianize Node.js modules
There is `npm auditā , see npm audit at DuckDuckGo . If a theme has been audited, or at least the components/scripts that are used to build the theme have been audited, then can a version be flagged/marked as audited ? Safe and secure ??
Remember that this is a ābase themeā, you are ment to add your own CSS to it. The provided CSS gives you a functional site, but not a very existing one.
I use it myself for all Hugo sites I build, the designer(s) on the project provide the look and fell and I implement it.
The Zen theme use npm/node for linting the code, it is completely optional to use.
It installed fine for me, when I remembered I need Hugo extended that is. I donāt have NPM installed, and the theme worked and looked great for me. Iām not really looking for a fully blown ābells and whistlesā theme.