Since 2018, uWebSockets.js has been published on GitHub, secured with cryptographically verifiable SHA-1 hashes using Git SCM. Our network includes over 500 third-party clones. Each binary release comes with its own SHA-1 reference of the compiled source code, and the source code lists the compilation flags used.
You can install uWebSockets.js using the NPM client with the following command:
npm install uNetworking/uWebSockets.js#v20.43.0Alternatively, you can use the SHA-1 hash directly:
npm install uNetworking/uWebSockets.js#1977b5039938ad863d42fc4958d48c17e5a1fa06Using SHA-1 hashes ensures the integrity and authenticity of the software, providing an additional layer of security. You can also fork the entire repository to your own organization, allowing you to hold your own copy. This can be done with a single button click on GitHub, giving you full control over the software.
Occasionally, some NPM advocates express concerns about projects not fully integrated into the NPM registry, perceiving them as less secure. However, while the NPM registry has numerous security vulnerabilities, no one has proven any instance of our supposed "release tampering" or other conspiracies here on GitHub.
We've moved from an era where ideas required logical proof to one where beliefs are often driven by social media sentiments.
- Event-Stream (2018): Compromised after transfer to a new maintainer who injected malicious code to steal cryptocurrency.
- UAParser.js (2021): Hacked to inject code for mining cryptocurrency and installing trojans.
- coa & rc (2021): Compromised with malware due to dependency chain vulnerabilities.
- Colors & Faker (2022): Maintainer introduced an infinite loop to protest exploitation by large corporations.
- node-ipc (2022): Altered to contain malicious code deleting files on Russian and Belarusian systems.
- ESLint (2018): Malicious package published that exfiltrated environment variables, including credentials.
- Left-Pad (2016): Unpublishing caused widespread disruption, highlighting dependency ecosystem vulnerabilities.
We choose not to publish on NPM to maintain full control over our software, especially in legal matters such as GDPR or DMCA claims. This autonomy ensures we can manage releases according to legal requirements, though it has never been necessary so far.
Our experiences with NPM support have been negative, with poor responses to our DMCA claims and a tendency to prioritize site policies over the law. We cannot trust or rely on such a system.
Maintaining control allows us to comply with the law and manage our software effectively without external interference.