Running Third-Party JavaScript

At Agoric, we’re at this intersection of cryptocurrencies and third-party JavaScript. We use a lot of JavaScript packages. It turns out that this intersection is just a really A-plus target for attackers. What’s going on here? Npm has some great statistics. They say that there’s over 1.3 billion downloads of npm packages on an average Tuesday. That’s a lot of downloads. JavaScript has this rich culture of code reuse. Here are some more stats from npm. There’s over 800,000 packages on npm, making it the largest code repository in the world. The average modern web application has over 1000 dependencies. Npm has this great quote, they say that over 97% of a modern web application comes from npm. An individual developer is responsible only for the final 3% that makes their application useful and unique. We can think of all the time that’s saved by not having to reinvent the wheel. That’s hundreds of millions of hours of coding saved. I think this is a really beautiful example of the cooperation that humankind is capable of. We have this rich civilization of code. We should be proud and npm should be proud of everything that they’ve accomplished. We have specialization. We have experts. We don’t have to build everything ourselves. As long as we can rely on all these package developers to be good people, we’re fine. Not everyone is good. Not everyone is good all the time. People make mistakes.

As Super Hans from “Peep Show” once put it, people like Coldplay, and voted for the Nazis. What happens when things go bad? Using other people’s code is risky. It’s risky, because whatever package we install, can basically do whatever it wants. There are no restrictions. We may not find out what happens until it’s too late. In real life, we have this rich ecosystem. We’re able to buy and use the things that other people create. We don’t have to grow our own food or sew our own clothes. Imagine if everything that you bought, all the interactions that you had, over the course of the day, that coffee that you bought this morning. Imagine if that had the power to completely take over your life. That’d be ridiculous. It’d be absurd. That’s the situation that we’re in right now with JavaScript packages, we can’t safely interact with the things that other people have made without it potentially ruining us. Watch here