Supply chain attacks, React, and the death of “mix & match” development
Recently, a popular open source project called polyfill.js was taken over by a bad actor, who injected malicious code into the project.
100s of thousands of sites with CI (Continuous Integration) systems did their usual automated build & deploy cycle and the exploit is now all over the place.
This is called a “supply chain attack” and you have to worry about the same thing in many arenas – you shouldn’t just use random WordPress plugins, for example – you have to vet them.
Isomorphic: Not vulnerable by design
It didn’t take long before someone asked Isomorphic if we were vulnerable to the attack.
We’re not – by design.
That’s because we actually vet the various open source libraries we use, both for any licensing issues and for possible supply chain issues like this one.
And we also minimize the number of dependencies we have.
This is what you should expect from your platform vendor.
React “mix & match”: a disaster waiting to happen
As we’ve written about previously, the approach commonly taken in React projects – mix & match components from a lot of different vendors – is a disaster in many ways.
Aside from all the “glue code” you end up writing to wire different components together, you end up with inconsistent approaches to theming, internationalization, accessibility, modal window layering, and so on.
We have yet to see a “mix & match” app pass the kind of review required to sell real enterprise software – indeed we’ve seen many that went through a complete rewrite (to get rid of max & match) because it was necessary to sell into large enterprises.
But “supply chain” attacks introduce a whole new dimension to “mix & match”: any of the single-purpose components you use could be taken over by a bad actor in a moment’s notice.
Worse, the dependencies of those single-purpose components could likewise be taken over in a moment’s notice.
It’s an entire web of vulnerabilities. Further, most companies that use the mix & match approach just let developers pick components – there is no further vetting.
Know your supply chain
The advent of “supply chain attacks” means you have to know your entire supply chain – down to the minor OSS (Open Source Software) components that may be indirect inclusions of something else you rely on.
And if you don’t, well.. you’re vulnerable. And I mean right now.
We’ve made this point before, and been told that I was spreading FUD (Fear, Uncertainty and Doubt) as a way to try to edge out smaller OSS projects.
With 100s of thousands of sites now vulnerable because of an OSS project takeover, let’s just say: we’ve been vindicated.
This is neither the first such exploit, nor will it be anything like the last.
It’s time to get to know your supply chain.
React “mix & match” is dead
The approach of mixing & matching components never should have been tried with React – it had already been tried and failed before, repeatedly (jMaki anyone?).
It wouldn’t have even been attempted again except that both Facebook (React) and Google (Angular, GWT) put out frameworks that seemed to suggest mix & match was a sanctioned approach.
It is now dead (again).
As of supply chain attacks, nobody in their right mind would allow enterprise developers to just go out and pick some random projects and cobble them together.
The path forward
Enterprises need to pick a single framework that covers that vast majority of their needs, and then very carefully audit whether they might need to use specialized components for some niche use case.
Both the main framework and any ancillary components need to be vetted and come from stable, established, security-conscious vendors.
Whether you use our particular products or not – this is the only path forward.
Isomorphic does offer a comprehensive suite of components, which you can use with React, with GWT, with plain JS, with TypeScript, and with many other frameworks.
You can also have your backend be Java, or .NET, or Node, or Python, or whatever.
So you can have one vetted framework, and one vetted vendor, that covers all the skillsets that might exist anywhere in your enterprise.
But whether you use our technology or not, please, take our advice and stop mixing & matching, and understand your supply chain.
Because we hate to say we told you so.. actually, no, we’re fine saying we told you so.
We told you so.