The problem with supply chain attacks is specifically related to npm, and not related to JS. npm as an organization needs to be taking more responsibility for the recent attacks and essentially forcing everyone to use more strict security controls when publishing their dependencies.
It’s maybe a nit-pick, since most JS is run sandboxed, so it’s sort of equivalent. But it was explicitly what GP asked for. Would it be more accurate to say Electron is secure, not JS?
Any two Turing-complete programming languages are equally secure, no?
Surely the security can only ever come from whatever compiles/interprets it? You can run JavaScript on a piece of paper.
Conversely, barring a bug in the runtime or compiler, higher level languages don't enable those kinds of shenanigans.
See for example the heart bleed bug, where openssl would read memory it didn't own when given a properly malformed request.
Language design actually has a lot of impact on security, because it defines what primitives you have available for interacting with the system. Do you have an arbitrary syscall primitive? Then the language is not going to help you write secure software. Is your only ability to interact with the system via capability objects that must be provided externally to authorize your access? Then you're probably using a language that put a lot of thought into security and will help out quite a lot.
To be fair, a plugin system built on JS with all plugins interacting in the same JS context as the main app has some big risks. Anything plugin can change definitions and variable in the global scope with some restrictions. But any language where you execute untrusted code in the same context/memory/etc as trusted code has risks. the only solution is sandboxing plugins
I almost fell out of my chair laughing. Thanks for the comedic relief.
It runs on a majority of computers and basically all phones. There will be many security issues that get discovered b y virtue of these facts.
What makes you think that "native" apps are any more secure?
I’d love to try it, but speaking of security, this was the first thing I saw:
sh <(curl https://create.tauri.app/sh)
Tauri is trustable (for some loose definition) and the pipe to shell is just a well known happy-path.
All that to say it's a low value smell test.
Also, I'm in the camp that would rather git clone and then docker up. My understanding is it gives me a littl more sandbox.
It's not a problem on pc, but an obsidian vault with thousands of notes can have a laggy startup on mobile, even if you disable plugins.
Users sidestep this issue with quick capture plugins and apps, but I wish there was a native stripped-down version of obsidian.
I'd also be forced to ask... what exactly are you doing with a markdown note-taking application such that performance is a legitimate concern?
But, I mean, maybe you're reading this in a Lynx session on your ThinkPad 701C.
Launching it and expecting a fast startup.
Let's fix private key leakage and supply chain issues before worrying about C++ haxxors p0wning your machines.
As less code at trust boundaries is being written in memory-unsafe languages, we'll get to 0.001%!
I mean, jeeze, how much code comes along for the ride with Electron...
It's a great way to keep lifecycle costs down and devops QoL up, especially for smaller shops.
*Insert favorite distro here that backports security fixes to stable package versions for a long period of time.
EDIT to add: Of course, reaching a state where the whole graph is free of CVEs is a fleeting state of affairs. Staying reasonably up-to-date and using only scanned dependencies is an ongoing process that takes more effort and attention to detail than many projects are willing or able to apply; but it is possible.
Code with publicly-known weaknesses poses exponentially more danger than code with unknown weaknesses.
It's like telling sysadmins to not waste time installing security patches because there are likely still vulnerabilities in the application. Great way to get n-day'd into a ransomware payment.
RSS Feeds?
But as a developer this post is nonsense and extremely predictable [1]. We can expect countless others like it that explains how their use of these broken tools is different and just don't worry about it!
By their own linked Credits page there are 20 dependencies. Let's take one of those, electron, which itself has 3 dependencies according to npm. Picking one of those electron/get has 7 dependencies. One of those dependencies got, has 11 dependencies, one of those cacheable-request has 7 dependencies etc etc.
Now go back and pick another direct dependency of Obsidian and work your way down the dependency tree again. Does the Obsidian team review all these and who owns them? Do they trust each layer of the chain to pick up issues before it gets to them? Any one of these dependencies can be compromised. This is what it means to be. supply chain attack, you only have to quietly slip something into any one of these dependencies to have access to countless critical user data.
[1] https://drewdevault.com/2025/09/17/2025-09-17-An-impossible-...
Obsidian has a truly terrible security model for plugins. As I realized while building my own, Obsidian plugins have full, unrestricted access to all files in the vault.
Obsidian could've instead opted to be more 'batteries-included', at the cost of more development effort, but instead leaves this to the community, which in turn increases the attack surface significantly.
Or it could have a browser extension like manifest that declares all permissions used by the plugin, where attempting to access a permission that's not granted gets blocked.
Both of these approaches would've led to more real security to end users than "we have few third party dependencies".
If they wanted to, one would guess that browser-ish local apps based on stuff like Electron/node-webkit could probably figure out some way to limit extension permissions more granularly.
Sneak in a malicious browser extension that breaks the permissions sandbox, and you have hundreds of thousands to millions of users as an attack surface.
Make a malicious VSCode/IDE extension and maybe you hit some hundreds or thousands of devs, a couple of smaller companies, and probably can get on some infosec blogs...
Attackers just have to hit one dev with commit rights to an app or library that gets distributed to millions of users. Devs are multipliers.
Yeah and they suck now. We need a better security model where it's still possible to do powerful stuff on the whole machine (it's MY computer after all) without compromises.
That's not possible. If you can do powerful stuff on the whole machine by definition you have no security. Security is always a question of where you create a perimeter. You can hand someone a well defined box in which they can do what they want, you can give someone broader access with fewer permissions, but whether vertically or horizontally to have security is to exercise control and limit an attack surface.
That's even implicit in the statement that it's YOUR computer. The justification being that there's a dividing line between your computer and other computers. If you'd be part of of a network, that logic ceases to hold. Same when it comes to components on your machine.
I would say VSCode has no excuse. It's based on a browser which does have capabilities to limit extensions. Huge miss on their part, and one that I wish drew more ire.
The Emily language (locked-down subset of OCaml) was also interesting for actively removing parts of the standard library to get rid of the escape hatches that would enable bypassing the controls.
Eio is an IO library out of many competing ones, not OCaml's effect system. The capabilities are an Eio thing, not an effects thing.
Linux has seccomp, but I think that was changing the access for an entire process. The language-focused aspect seems useful to me, from that application aspect where maybe I want access to something, but I don't want to pass that access on to all the code that I might call from a library.
Do you mean mods on Steam? If you do, then that's down to the individual game. Sandboxing mods isn't universal.
It's pretty much the opposite. A lot of modding communities' security model is literally just to "trust the community."
Example: https://skylines.paradoxwikis.com/Modding_API
> The code in Mods for Cities: Skylines is not executed in a sandbox.
> While we trust the gaming community to know how to behave and not upload malicious mods that will intentionally cause damage to users, what is uploaded on the Workshop cannot be controlled.
> Like with any files acquired from the internet, caution is recommended when something looks very suspicious.
I guess the intent behind Cities Skylines's support for mods is just removing the need for a mod manager and enabling Steam Workshop support.
And how exactly you can solve that?
I don't want to press 'allow access' on the every file some plugin is accessing.
There is no reason for pdf.js to ever access anything other than the files you wish to export. The Export to PDF process could spawn a containerized subprocess with 0 filesystem or network access and constrained cpu and memory limits. Files could sent to the Export process over stdin, and the resulting PDF could be streamed back over stdout with stderr used for logging.
There are lots of plugin systems that work this way. I wish it were commodofied and universally available. AFAIK there's very little cross-platform tooling to help you solve this problem easily, and that's a pity.
FWIW, MacOS isn't any better or worse for security than any other desktop OS tbh....
I mean, MacOS just had it's "UAC" rollout not that long ago... and not sure about you, but I've encountered many times where someone had to hang up a Zoom or browser call because they updated the app or OS, and had to re-grant screenshare permissions or something. So, not that different. (Pre-"UAC" versions of MacOS didn't do any sandboxing when it came to user files / device access)
IMO they should do something like aur on Arch Linux and have a community managed plugin repo and then a smaller, more vetted one. That would help with the plugin review time too.
One thing that makes our offering unique is the ability to self-host your Relay Server so that your docs are completely private (we can't read them). At the same time you can use our global identity system / control plane to collaborate with anyone in the world.
We have pretty solid growth, a healthy paid consumer base (a lot of students and D&D/TTRPG), and starting to get more traction with businesses and enterprise.
[0] https://relay.md
It might not be the most strategic move, but i want to build cool and useful tools, and the Obsidian folks are a big inspiration.
I hope there's a way to collaborate and/or coexist.
If engineers can't even manage their own security, why are we expecting users to do so?
This latest attack hit Crowdstrike as well. Imagine they had gotten inside Huntress, who opened up about how much they can abuse the access given: https://news.ycombinator.com/item?id=45183589
Security folks and companies think they are important. The C suite sees them as a scape goat WHEN the shit hits the fan and most end users feel the same about security as they do about taking off their shoes at the airport (what is this nonsense for) and they mostly arent wrong.
It's not that engineers cant take care of their own security. It's that we have made it a fight with an octopus rather than something that is seamless and second nature. Furthermore security and privacy go hand and hand... Teaching users that is not to the benefit of a large portion of our industry.
I dunno. My computer has at least 1 hardware backdoor that I know off, but that I just can't get hardware without any equivalent exploit.
My OS is developed with a set of tools that is known to make code revision about as hard as possible. Provides the bare minimum application insulation. And is 2 orders of magnitude larger than any single person can read on their lifetime. It's also the usable OS out there with best security guarantees, everything else is much worse or useless.
A browser is almost a new complete layer above the OS. And it's 10 times larger. Also written in a way that famously makes revisions impossible.
And then there are the applications, that is what everybody is focusing today. Keeping them secure is close to useless if one don't fix all of the above.
Personally, I think he uses Emacs.
The derivatives are obviously completely separate from Arch and thus are not the responsibility of Arch maintainers.
It’s still the same problem, relying on the community and trusted popular plugin developers to maintain their own security effectively.
yay or paru (or other aur helpers afaik) are not in the repos. To install them one needs to know about how to use AUR in the first place. If you are technically enough to do that, you should know about the security risks since almost all tutorials for AUR come with the security warnings. Its also inconvenient enough that most people wont bother.
In obsidian plugins can seem central to the experience so users might not think much of installing them, in Arch AUR is very much a non essential component. At least thats how I understand it.
While somewhat true, we are talking about a user who has installed Arch on their machine. If a user wanted to not bother with installation details, they would've installed Ubuntu.
I can't even install Brave without the AUR.
Unless something has changed, it's worse than that. Plugins have unrestricted access to any file on your machine.
When I brought this up in discord a while back they brushed it aside.
It sounds like if I ever run obsidian I should be using flat seal too.
I'm not claiming it's a security feature of Obsidian, I'm saying it's a consequence of running a flatpak - and in this situation it could be advantageous for those interested.
[1] https://docs.docker.com/desktop/settings-and-maintenance/set...
The first time I started installing flatpaks I ran into a bit of permission / device isolation trouble and ever since then, I use flatseal after installing an app to make sure it actually has access to things.
I guess I misremembered in the case of Obsidian.
Seems a little excessive, but here we are.
I got lazy
Time to crank the paranoidmeter up again
ty
Obviously it can detect malware if there’s a connection to some weird site, but it’s more like a bonus than a reliable test.
If you need to block FS access, then per app containers or VMs are the way to go. The container/VM sandboxes your files, and Little Snitch can then manage externa connectivity (you might still want to allow connection to some legit domains—-but maybe not github.com as that can be use to upload your data. I meant something like updates.someapp.com)
There are so many options, from so many different security perspectives, that analysis paralysis is a real issue.
For user-space, there is usually bubblewrap vs. firejail. I have not personally used bubblewrap, so I cannot comment on that, but firejail is great at what it does.
The last comment was about restricting clipboard access to either X11 or Wayland which is possible with firejail quite easily, so if you want that, you can have that.
You can do a LOT more with firejail though.
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
This is my ~/.config/firejail/Discord.profile[1]:
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-shell.inc
noblacklist /sys/fs
noblacklist /sys/module
keep-config-pulse
keep-dev-shm
name discord
apparmor
caps.drop all
caps.keep sys_admin,sys_chroot
netfilter
nodvd
#nogroups
#noinput
nonewprivs
noroot
notv
#nou2f
#novideo
protocol unix,inet,inet6
#shell none
disable-mnt
private-cache
#private-tmp
noexec /tmp
dbus-user filter
dbus-user.talk org.freedesktop.Notifications
private-bin Discord,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh,gzip,wget,curl,notify-send
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
noblacklist /usr/lib/discord/
whitelist ${HOME}/.config/discord
read-write ${HOME}/.config/discord
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/pulse/*
include whitelist-common.inc
include whitelist-var-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
Some has this, too:
disable-mnt
private-dev
private-cache
env http_proxy=socks5://127.0.0.1:9050
env https_proxy=socks5://127.0.0.1:9050
You should check out the default profiles for many programs / apps under directory "/etc/firejail".
[1] You run it via "firejail Discord" or "firejail ./Discord" if you name it "Discord.profile".
In case anyone else is curious, I found the following comparison in bubblewrap's repo.
- https://github.com/containers/bubblewrap#related-project-com...
I'm gonna try both and see which one I like. Thanks for this info! You're sure living up to your user name there. (:
> You're sure living up to your user name there. (:
You are too kind, thank you!
But I haven't heard anyone talk like that in quite sometime (unless it's me parroting them). Which is quite unfortunate.
I think for example if someone from the old guard of Blizzard were to write a book or at least a novella that described how the plugin system for World of Warcraft functioned, particularly during the first ten years, where it broke, how they hardened it over time, and how the process worked of backporting features from plugins into the core library...
I think that would be a substantial net benefit to the greater software community.
Far too many ecosystems make ham-fisted, half-assed, hair-brained plugin systems. And the vast majority can be consistently described by at least two of the three.
The lessons from all fields seem to be relearnt again and again in new fields :-)
It might be slightly sped up by reading up on theory and past experiences of others.
I am around mid life and I see how I can tell people stuff, I can point people to resources but they still won’t learn until they hit the problem themselves and put their mind into figuring it out.
See also people trying to bring Erlang back into fashion.
In each game generation there’s a game that would be easy to write on the next or subsequent generation of hardware and is damned difficult to implement on the current one. Cleverness and outright cheating make it work, after all fashion.
This is also why every hard problem eventually shows up — games are just simulation + interaction, and eventually everything that can be simulated will have some attempted implementation out there, struggling along. (For some reason, this does not appear to stop at “interesting” things to simulate — see all the literal simulators on steam)
And in general, it will take less hardware resources that the usual Electron stuff.
At the end of the day, you're just taking notes. If you write a journal, don't put it in something like Obsidian. Even Apple Notes is better (in security, privacy, etc) in this regards.
Point is, you don't need Obsidian (or all of its plugin). People have been making do with Dropbox and plain text (.txt) files perfectly fine for years.
This is why people use Obsidian.
I use it to remember stuffs and classify important informations, for instance I had issue fo years with my government to end my enterprise. I made a note in obsidian « enterprise closure » and every time there was a mail, I would save it as pdf and import it into the note. Same for every letter, scan -> import. I could put out my thoughts, next step, … on the note.
Because it doesn’t crypt notes or attachments, spotlight can index my notes and I can still search for the attachments.
And the back links are just a bonus because you always end up having multiple side note linked to a main note.
I have yet to see another software that allows me to do these kind of things. Apple notes absolutely sucks on attachments.
Putting attachments in folder with notes at the top is hard to search, things always get lost or duplicated.
I believe there are companies tools for that kind of things like « SERM » but then obsidian just works and it’s free.
Built with tauri & rust, and is more performant, and doesn't rely on random contributions for basic things as plugins.
Disclaimer - I build it.
Is this true? Is there any source about how many obsidian users use third party plugins? For once I don't. Moreover, obsidian by default runs in "restricted mode" which does not allow for community plugins. You have to specifically enable it to be able to install community plugins, hence I assume somebody who does that understands the risks involved. How many people even get into enabling that?
For me it is not even about security firstmost, the whole appeal of markdown is simplicity and interoperability. The more I depend on "plugins" the more I am locked in into this specific platform.
Ah, the WordPress model.
Having to rely on random devs for the most basic functionality and passing it off as `community does what it wants` is weird. Either add it in yourselves, or accept the fact that given your app requires external contributors to work at a little above the basic level, there are going to be security issues.
Writing a whole blog post, and throwing shade on "other apps" that have far more dependencies than Obsidian is weird to me.
Anyway, it seems like you can't really talk bad about them, since there's a huge following that just comes at you, and that feels weird, cause they apparently can throw shade, others can't just talk back.
Yes, on desktop, Obsidian plugins can access files on your system, unless you run it in a container. On iOS, iPadOS, and Android the app is sandboxed so plugins are more constrained.
This is not unique to Obsidian. VS Code (and Cursor) work the same way despite Microsoft being a multi-trillion dollar company. This is why Obsidian ships in restricted mode and there's a full-screen warning before you turn on community plugins.
VS Code and Obsidian have similar tradeoffs, both being powerful file-based tools on the Electron stack. This fear about plugins was raised on the Obsidian forums in 2020 when Obsidian was still new, and Licat explained[1] why it’s not possible to effectively sandbox plugins without making them useless.
So... what do you do?
The drastic option is to simply not use community plugins. You don't have to leave restricted mode. For businesses there are several ways to block network access and community plugins[2]. And we're currently planning to add more IT controls via a policy.json file[3].
The option of using Obsidian without plugins is more viable in 2025 than it was in 2020, as the app has become more full-featured. And we're now regularly doing third-party security audits[4].
But realistically, most people want to run community plugins, and don't have the technical skills to run Obsidian in a container, nor the ability and time to review the code for every plugin update.
So the solution that appeals to us most is similar to the "Marketplace protections"[5] that Microsoft gradually implemented for VS Code. For example, implementing a trusted developer program, and automated scanning of each new plugin update. We plan to significantly revamp the community directory over the coming year and this is part of it.
Note that Obsidian is a team of 7 people. We're 100% user-supported[6] and competing with massive companies like Microsoft, Apple, Google, etc. Security audits are not cheap. Building an entire infrastructure like the one I described above is not easy. We're committing to doing it, but it wouldn't be possible without our supporters.
[1] https://forum.obsidian.md/t/security-of-the-plugins/7544/3
[2] https://help.obsidian.md/teams/deploy
[3] https://x.com/kepano/status/1957927003254059290
[4] https://obsidian.md/security
[5] https://code.visualstudio.com/docs/configure/extensions/exte...
From my buddies who have worked in JS my understanding is that a lot of it is rooted in JavaScript having a really shitty standard library for a long time. So that lead to a culture of code sharing early on since everyone was rewriting the same utilities and what not. Which evolved into the package management ecosystem over time.
Why that came about in something like JavaScript but not C, which also obviously has a really small std is super interesting. My only guess is that JavaScript came up in the internet when package managers started to take on a new meaning, and web dev is more relavent to a broader range of (nontech) companies and they're more likely to put a huge focus on quality over quantity.
While we're on the topic: what's your default markdown handler on Windows?
An absolutely incredible piece of software. If anyone here on HN works on it, you deserve to be proud of your work.
Maybe, just maybe, don't give fullmouthed advice on reducing risk in the supply chain.
What a horribly disingenuous statement, for a product that isn't remotely usable without 3rd-party plugins. The "Obsidian" product would be more aptly named "Mass Data Exfiltration Facilitator Pro".
It is possible to make your same point without histrionic excess.
What is the objective measure of usability to which you are referring? I'm not aware of any such metric.
> As for your high standards vs tendonitis distinction, I'd say these things are not mutually exclusive, and the comparison is not related to what we're talking about.
The connection is that I have different needs in HIDs, just like some people have different needs in Obsidian. There are great ergonomic keyboards available for $50. I just can't use them.
Generally I buy the cheapest peripherals available. My standards are not all that high. Several of them have bugs I've learned to work around.
Evaluators normally use scoring systems for this purpose, in which heuristic violations are rated on a severity scale (commonly 0-4). So when apps like Obsidian rack up many 3s and 4s, you have an objective basis on which to characterize it as unusable. Besides this, there are accessibility and security metrics consisting of pass/fail tests, which are countable.
I guess the best analogy would be a street vendor passing dog meat off as beef. You may think the dog is delicious, but that doesn't make it beef.
I don't think the beef analogy is appropriate. For one it involves deception, and I don't think that's fair to Obsidian. For another Obsidian presents itself as a personal knowledge base, and is a personal knowledge base. Maybe it's a bad one. But that would make it inferior beef, not dog meat. If you think it lacks necessary features, a.) that would seem to me to be beef that needs some steak sauce and b.) the existence of people who do not use plug-ins would seem to empirically prove those features are not always necessary. Because different people have different needs.
That's not even remotely true. Obsidian out-of-the-box is very usable, covers pretty much all use cases for a note-taking software.
I've been using it for ages, and I haven't needed to turn on the Community Plugins switch for anything.
Usually the people I see with tons of Obsidian plugins are people who think "just one more plugin" is what stands between them and productivity.
If you use Wayland and it works for you, that's great, but it's not my experience.
Eslint with such wonderful dependencies like is-glob smh
- All your data is just plain files on your file system. Automation and interop are great, including with tools like Claude Code.
- It’s local-first, so performance is good.
- It’s extensible. Write extensions in HTML, CSS, and JS.
- It’s free.
- Syncing files is straightforward. Use git, Syncthing, Google Drive, or pay for their cheap sync service which is quite good.
- Product development is thoughtful and well done.
- They’re explicitly not trying to lock you in or own your data. They define open specs and build on them when Markdown doesn’t cut it.
Things you might not like:
- Their collaboration story isn’t great yet. No collaborative editing.
- It’s an Electron app.
It's literally at least 100 times more expensive that Dropbox/OneDrive/Google Drive/iCloud sync
The price per GB isn’t as good as the services you mentioned, but their storage limits are fine for the primary use case — storing a lot of plain text notes.
I’ve also had no problems with it, in contrast with iCloud which has routinely gotten stuck for me.
And if price per GB is what you care most about, use something else. That’s one of the great things about Obsidian.
Can’t wait for “implements mechanism to delay application of new patches” to start showing up compliance checklists. My procrastination will finally pay off!
You can install Obsidian flatpak and lock it down with flatseal.
(IIUC, we actually were the first to get a certain certification for cloud deployment, maybe because we had a good handle on this and other factors.)
From the language-specific network package manager, I pulled the small number of third-party packages we used into the filesystem tree of system's repo, and audited each new version. And I disabled the network package manager in the development and deployment environments, to make it much harder for people to add in dependencies accidentally.
Dependencies outside this were either from the Linux distro (nice, because well-managed security updates), or go in the `vendor` or `ots` (off-the-shelf) trees of the repo (and are monitored for security updates).
Though, I look at some of the Python, JS, or Rust dependency explosions I sometimes see -- all dependent on being hooked up to the language's network package manager, with many people adding these cavalierly -- and it becomes a much harder problem.
I understand that not updating your dependencies when new patches are released reduces the chance of accidentally installing malware, but aren’t patches regularly released in order to improve security? Wouldn’t it generally be considered unwise to not install new patches?
pnpm has a setting that you can tell it that a package needs to be at least X minutes old in order to install it. I would wait at least 24 hours just to be safe
Nobody has time to read source code, but there are many tools and services that will tell you brief summaries of release notes. Npm Audit lists security vulnerabilities in your package versions for example.
I do adopt the strategy of not updating unless required, as updates are not only an attack vector, but also an extremely common source of bugs that'd I'd prefer to avoid.
But importantly I stay in the loop about what exploits I'm vulnerable to. Packages are popping up with vulnerabilities constantly, but if it's a ReDoS vulnerability in part of the package I definitely don't use or pass user input to? I'm happy to leave that alone with a notice. If it's something I'm worried another package might use unsafely, with knowledge of the vulnerability I can decide how important it is, and if I need to update immediately, or if I can (preferably) wait some time for the patch to cook in the wild.
That is the important thing to remember about security in this context: it is an active, continuous, process. It's something that needs to be tuned to the risk tolerance and risk appetite of your organisation, rather than a blanket "never update" or "always update" - for a well-formed security stance, one needs more information than that.
This isn't trivial to organise though since semver by it's self doesn't denote when a patch is security related or not. Of course, you can always review the release notes but this is time consuming, and doesn't scale well when a product grows either in size of code base or community support.
This is where there's a fairly natural place for SAST (E.g., Semgrep, Snyk (many more but these are the two I've used the most, in no particular order)), and supply chain scans fall in place, but they're prohibitively expensive.
There is a lot of open source tooling out there that can achieve the same too of course.
I've found there's a considerable linear climb with overheads/TOIL and the larger the number of open source tools you commit to create a security baseline. Unfortunately, this realistically means most companies where time is scarcer than money, means more money shifts into closed source products like those I listed, rather than those ran by open source products/companies.
It's frustrating that a potential availability issue often gets the same (high) rating as a integrity/confidentiality issue
With all of the latest in automated scanning and whatnot, this is more or less a moot point. You'll know when a package is vulnerable, and the alarm bells are loud and unambiguous. I really agree, and have always pushed the point, that version ranges are the worst things you can have if you care about supply chain attacks.
Not only is npm a prominent target but it also does not allow packages to be removed or blocked for usage without a human on their side in the loop.
The result is that they are slow to remove malicious packages and slowing down your own updates helps to mitigate this a little.
I know it is not very different comparing to python or projects in any other language. But I don't feel that I cannot trust node/js community at this point.
You could do it with namespaces.
I think node/whatever-js-run-time/package-manger could allow for namespaced containment for packages with simple modern linux things.
The realms proposal was a step towards that at one time.
I get the intent, but I’m not sure this really buys much. If a package is compromised, the whole thing is already untrustworthy and skipping postinstall doesn’t suddenly make the rest of the code safe. If it isn’t compromised, then you risk breaking legitimate installation steps.
From a security perspective, it feels like an odd tradeoff. I don’t have hard data, but I’d wager we see far more vulnerabilities patched through regular updates than actual supply-chain compromises. Delaying or blocking updates in general tends to increase your exposure rather than reduce it.
I'd like to see the ability to scan/restrict as part of the installation step become popular, there are some proprietary tools that do this already but it's not yet a common capability.
Still, they can present a security risk by injecting malware at build time
I just decided on Thursday after years of covering my ears and eyes from my obsidian-obsessed friends and coworkers that the tool just didn’t make sense to me, and I felt like I’d be in plugin purgatory on my computer for eternity.
I’ve ended up going with Reflect, after ~forever using Apple Notes primarily. So far so good, but I genuinely felt for so long I was supposed to love Obsidian because that’s the trope - appears that’s changing.
If it's a browser, they should have something on their web site that says "obsidian is a really cool browser." I think there are a lot of people out there who are ignoring the hype-train and it would do the community a service if they just started with answering that simple question. I mean sure, I get it, it's a "sharpen your thinking app," but I'm not sure what that means.
Did anyone need the newest xz version in the first place? What negative tradeoffs would have come from pinning a 2022 release for example
Unbelievable
https://github.com/ionic-team/capacitor
https://github.com/Microsoft/tslib
https://github.com/codemirror/autocomplete
https://github.com/codemirror/language
https://github.com/marijnh/style-mod
https://github.com/marijnh/crelt
https://github.com/marijnh/find-cluster-break
https://github.com/marijnh/w3c-keyname
https://github.com/cure53/DOMPurify
https://github.com/electron/electron
https://github.com/electron/get
https://github.com/debug-js/debug
https://github.com/sindresorhus/env-paths
https://github.com/sindresorhus/got
https://github.com/sindresorhus/is
https://github.com/visionmedia/node-progress
https://github.com/npm/node-semver
https://github.com/malept/sumchecker
https://github.com/szmarczak/http-timer
https://github.com/szmarczak/defer-to-connect
https://github.com/szmarczak/cacheable-lookup
https://github.com/jaredwray/cacheable
https://github.com/biomejs/biome
https://github.com/sindresorhus/decompress-response
https://github.com/sindresorhus/mimic-response
https://github.com/octet-stream/form-data-encoder
https://github.com/szmarczak/http2-wrapper
https://github.com/szmarczak/resolve-alpn
https://github.com/sindresorhus/lowercase-keys
https://github.com/sindresorhus/p-cancelable
https://github.com/sindresorhus/responselike
https://github.com/sindresorhus/type-fest
https://github.com/sindresorhus/tagged-tag
https://github.com/max-mapper/extract-zip
https://github.com/sindresorhus/get-stream
https://github.com/Sec-ant/readable-stream
https://github.com/sindresorhus/is-stream
https://github.com/thejoshwolfe/yauzl
https://github.com/brianloveswords/buffer-crc32
https://github.com/andrewrk/node-pend
https://github.com/i18next/i18next
https://github.com/babel/babel
https://github.com/microsoft/TypeScript
https://github.com/lezer-parser
https://github.com/lucide-icons/lucide
https://github.com/mathjax/MathJax
https://github.com/mermaid-js/mermaid
https://github.com/moment/moment
https://github.com/mozilla/pdf.js
https://github.com/pixijs/pixijs
https://github.com/mapbox/earcut
https://github.com/primus/eventemitter3
https://github.com/matt-way/gifuct-js
https://github.com/matt-way/jsBinarySchemaParser
https://github.com/kaimallea/isMobile
https://github.com/browserslist/caniuse-lite
https://github.com/jkroso/parse-svg-path
https://github.com/avoidwork/tiny-lru
https://github.com/PrismJS/prism/
https://github.com/mourner/rbush
https://github.com/mourner/quickselect
https://github.com/remarkjs/remark
https://github.com/hakimel/reveal.js
https://github.com/barrysteyn/node-scrypt
https://github.com/mixmark-io/turndown
https://github.com/mixmark-io/domino
https://github.com/webpack/webpack
https://github.com/acornjs/acorn
https://github.com/nicolo-ribaudo/acorn-import-phases
https://github.com/browserslist/browserslist
https://github.com/web-platform-dx/baseline-browser-mapping
https://github.com/kilian/electron-to-chromium
https://github.com/chicoxyzzy/node-releases
https://github.com/browserslist/update-db
https://github.com/lukeed/escalade
https://github.com/alexeyraspopov/picocolors
https://github.com/samccone/chrome-trace-event
https://github.com/webpack/enhanced-resolve
https://github.com/isaacs/node-graceful-fs
https://github.com/webpack/tapable
https://github.com/guybedford/es-module-lexer
https://github.com/browserify/events
https://github.com/fitzgen/glob-to-regexp
https://github.com/isaacs/node-graceful-fs
https://github.com/npm/json-parse-even-better-errors
https://github.com/webpack/loader-runner
https://github.com/jshttp/mime-types
https://github.com/jshttp/mime-db
https://github.com/suguru03/neo-async
https://github.com/webpack/schema-utils
https://github.com/ajv-validator/ajv
https://github.com/epoberezkin/fast-deep-equal
https://github.com/fastify/fast-uri
https://github.com/epoberezkin/json-schema-traverse
https://github.com/floatdrop/require-from-string
https://github.com/ajv-validator/ajv-formats
https://github.com/ajv-validator/ajv-keywords
https://github.com/DefinitelyTyped/DefinitelyTyped
https://github.com/webpack-contrib/terser-webpack-plugin
https://github.com/jridgewell/sourcemaps
https://github.com/jestjs/jest
https://github.com/yahoo/serialize-javascript
https://github.com/browserify/randombytes
https://github.com/terser/terser
https://github.com/tj/commander.js
https://github.com/evanw/node-source-map-support
https://github.com/LinusU/buffer-from
https://github.com/mozilla/source-map
https://github.com/webpack/watchpack
Whataboutism. Relative comparisons don't address absolute risk. I checked three random packages: prism pulls 22, remark pulls 51, pixijs 179! So that's 250+ transitive dependencies just from those.
> Features like Bases and Canvas were implemented from scratch instead of importing off-the-shelf libraries. This gives us full control over what runs in Obsidian.
Full control? There are still hundreds of dependencies.
> This approach keeps our dependency graph shallow with few sub-dependencies. A smaller surface area lowers the chance of a malicious update slipping through.
Really? Again, this is just one package: https://npmgraph.js.org/?q=pixijs
> The other packages help us build the app and never ship to users, e.g. esbuild or eslint.
Build tools like esbuild don't ship to users, but a compromised build tool can still inject malicious code during compilation. This is supply chain security 101.
> All dependencies are strictly version-pinned and committed with a lockfile
Version pinning is, I would hope, standard practice in any professional development team years and years ago. It prevents accidental updates but doesn't stop compromised existing versions.
> When we do dependency updates, we: > [snip]
While these practices are better than nothing, they don't fundamentally address the core issue.
> That gap acts as an early-warning window: the community and security researchers often detect malicious versions quickly
According to whom? Heartbleed, a vulnerability in a package with far more scrutiny than a typical npm module took what, 2 years to be found? The "community detection" assumption is flawed.
I'm not trying to put Obsidian down here - I sympathize, aside from implementing everything themselves, what can they do! I'm trying to point out that while their intent is good, this is a serious problem and their solution is not a solution.
Of course, it's the same in any project with dependencies. It's the same in other languages as well - if they have a convenient package manager. Like Rust and Cargo.
This problem came with the convenience of package managers and it should be fixed there, not by every application like Obsidian. I'm not sure how but maybe once a package is starting to become popular, additional security measures must be put in place for the author to be able to continue to commit to it. Signing requirements, reproducible builds, 2fa, community reputation systems, who knows.
Individual applications can't solve supply chain security through wishful thinking and version pinning.
Package managers need to solve this at the infrastructure level through measures like mandatory code signing, automated security auditing, dependency isolation, or similar system level approaches.
Obsidian's practices are reasonable given the current tooling limitations, but they don't eliminate the fundamental risks that the package managers bring to modern dependency ecosystems.
> Only a handful of packages are part of the app you run, e.g. Electron, CodeMirror, moment.js.
Honestly, it doesn't seem impressive at all. What Obsidian does is the bare minimum of how we should manage packages in any piece of software, not a testament to a serious security policy. They do security audits, though, which I find to be a good practice.
This should be: Supply chain attacks are malicious updates that sneak into source code used by many apps.
Stop blaming FOSS. Too many people still have the perception that FOSS software is insecure
Defending against security vulnerabilities is definitely one of them, as long as you make the proper investments to harden what you write.
Joel Spolsky write about some other reasons too[2].
0: https://github.com/FusionAuth/java-http
1: https://en.wikipedia.org/wiki/Reinventing_the_wheel
2: https://www.joelonsoftware.com/2001/10/14/in-defense-of-not-...
The app doesn't have the bloaty feel of other Electron apps, but if there was a good more native alternative that fits my bill (md files editable in a graphical mode with good wikilink-syntax support and similar search etc), then I would actually consider switching.
for export it's the same reason many features don't exist yet — the team only has 3 full time developers
brandonspark•4mo ago
mpalmer•4mo ago
brandonspark•4mo ago
mpalmer•4mo ago