Skip to main content
Back to Library
postmortem

The Mechanism

4 min read Chapter 33 of 38

The Mechanism

The vulnerability is architectural, not in the left-pad code itself.

npm’s dependency resolution is fetch-on-demand from a centralized registry. When a developer runs npm install, the npm client reads the project’s package.json file, identifies the declared dependencies, queries the npm registry for each dependency, downloads the package tarball, reads the downloaded package’s package.json for its own dependencies, and recursively resolves the entire tree. Every install fetches from the registry. If a package is not in the registry, the install fails.

// A simplified dependency chain that includes left-pad
// project/package.json
{
  "name": "my-application",
  "dependencies": {
    "babel-core": "^6.0.0"
  }
}

// babel-core/package.json
{
  "name": "babel-core",
  "dependencies": {
    "babel-register": "^6.0.0"
    // ... many other dependencies
  }
}

// babel-register/package.json
{
  "name": "babel-register",
  "dependencies": {
    "line-numbers": "^0.2.0"
    // ... other dependencies
  }
}

// line-numbers/package.json
{
  "name": "line-numbers",
  "dependencies": {
    "left-pad": "^1.0.0"
    // FAILURE POINT: When left-pad is unpublished,
    // this dependency cannot be resolved.
    // my-application fails to install even though
    // my-application's developer has never heard of left-pad.
  }
}

The chain from my-application to left-pad is four levels deep. The developer of my-application depends on Babel. Babel is a mature, widely-used project maintained by a team. Babel depends on dozens of packages, which depend on dozens more. Somewhere in that tree, a package depends on an 11-line utility maintained by a single developer. The my-application developer has no visibility into this chain. They did not choose to depend on left-pad. They chose to depend on Babel, and the rest followed automatically.

The centralized registry is the single point of failure. Every npm install fetches from registry.npmjs.org. There is no peer-to-peer distribution. There is no local mirror by default. There is no fallback. If a package is removed from the registry, it is removed for everyone, everywhere, simultaneously.

Several mitigations exist but each has limitations:

Lock files (package-lock.json, yarn.lock). A lock file records the exact version and integrity hash of every package in the resolved dependency tree. If a lock file exists, npm ci installs exactly those versions without resolving from the registry, using cached copies if available. But the initial install, and any install that updates the lock file, still requires fetching from the registry. If the package is missing during that fetch, the install fails.

Private registries and caches. Organizations can operate private npm registries (Artifactory, Verdaccio, npm Enterprise) that cache packages from the public registry. If a package is removed from the public registry, the cached copy remains available. But this only protects organizations that have set up such infrastructure. Individual developers and small teams typically use the public registry directly.

Vendoring (committing node_modules). Some projects commit the entire node_modules directory to version control, eliminating the dependency on the registry at build time. This is effective but impractical for most projects due to the size of node_modules (often hundreds of megabytes or gigabytes) and the difficulty of reviewing vendored code for security.

The micro-package culture compounds the structural vulnerability. The JavaScript ecosystem contains packages for is-odd (checks if a number is odd), is-even (which depends on is-odd), is-number, is-string, is-array, and thousands of similar single-function packages. Each package is an additional node in the dependency graph, an additional point of failure, and an additional trust relationship. The developer who installs is-even is trusting not just the author of is-even but the author of is-odd, and anyone who has or will have commit access to either package.

This trust model scales poorly. A project with 1,000 transitive dependencies trusts 1,000 maintainers, their npm credentials, their development machines, and their judgment about who gets commit access. One compromised credential, one malicious maintainer, one hijacked package, and the trust chain is broken.