[GoLUG] Writing an internet server

[Ron]

Barry Fishman wrote on 2025-08-19 14:03:

>> If you mean Node repos, yes it has been targeted a lot due to its 
>> popularity.
> 
> It's also has had a history of lacking oversight in keeping 
> dangerous software out of it.

Yeah, it has had (more than?) its share of problems.

Open repos are susceptible to such things and it's hard to curate it 
other than through user feedback. At 3.1+ million packages (according to 
ChatGPT), is it possible to have oversight?


Also:

> Popular Python Library Vulnerability Exposes 43 million 
> Installations to Code Execution Attacks
> 
> Tracked as GHSA-wmxh-pxcx-9w24 and scoring 8.8/10 on the CVSS v3 
> severity scale

https://cybersecuritynews.com/popular-python-library-vulnerability/



> In recent years, the rise of cyberattacks exploiting software supply 
> chains has posed a significant threat to the open-source software 
> ecosystem. In particular, Python developers have become a prime 
> target [...]
> 
> The attack involved a set of 20 malicious Python packages, which 
> were masquerading as legitimate libraries [...]
> 
> The first of these malicious packages, tcloud-python-test, was
> uploaded to PyPI as early as November 8, 2023, according to source
> code commit records. Other malicious packages followed suit in the
> subsequent months, continuing the attack through to its eventual
> discovery in March 2025.



https://cybersrcc.com/2025/03/17/the-pypi-attack-malicious-packages-
target-cloud-tokens-over-14100-downloads-before-removal/




And, again, a Python vulnerability / malware has full access to the
user's ~ and maybe more, depending on lots of stuff.

A JS vulnerability / malware can't generally do that, that level of hack
is gonna be highly valuable and targeted.

It can mine crypto, costing some $ worth of electricity, slow down a
computer, etc. but not exfiltrate a user's data nor rack up thousands of 
dollars of cloud computing costs.


All generally speaking, exceptions expected, no guarantees.



Then there is the issue of distribution.

If one is writing software that they want people to use, it's worth
considering the best method of distribution for a given tool.

Every single computer / mobile user can use your JS app.


> Over half (54%) of the global population – some 4.3 billion people
> – now owns a smartphone

https://www.gsma.com/newsroom/press-release/smartphone-owners-are-now-
the-global-majority-new-gsma-report-reveals/


> Mobile phones are the most common gateway to the Internet

https://www.itu.int/itu-d/reports/statistics/2024/11/10/ff24-mobile-
phone-ownership/



So, by writing in Python one is excluding a large number of people.

Sometimes, that's okay. But it is a consideration.




I've written programs that process data files with Python and via web 
apps with JS on the front and back ends.


Python for a business's internal usage, with Pandas to link two files in
a "left join".


JS via web page for general users to access PostgreSQL window functions
for ranking data.  No intervention by me except to ensure invoices paid.



Oh, and Python Pandas corrupts fixed-width-files silently and 
irretrievably by trimming whitespace.

They do not care.

They recommend adding delimiters to your carefully crafted column 
definitions to defeat this - delimiters that don't exist in the file 
like NULLs and are an abomination of a suggestion to add delimiters to 
fixed-width-files.


They seem confused between tables and FWFs.

And do not care.



TL;DR

Choose the right language for the targeted audience among other 
considerations.

Security is but one and JS is not a more-dangerous choice.