-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RRFC] Security: audit lockfiles for injection #539
Comments
Since many layers of security has failed if someone has edited your lockfiles, and once someone has file access to your repo, there are infinite numbers of possible attacks, there's not any guarantees that we could make. However, I think it's worthy of discussion. |
If someone does that, then wouldn't the package.json and the lockfile no longer agree? That seems like something npm should be checking. |
This has been written about before, and IIRC has happened, though I don't recall the explicit instance. There's a writeup from Snyk here that goes into some detail about how you could also abuse GitHub's diff review to hide these changes.
I actually disagree with this. I think it's fairly common in module upgrades in open source if you're checking in a lockfile. IMO adding
hence this RRFC? :P |
I would think that |
this is exactly the work i'm starting this week. |
maybe |
If versions inside package.json and package-lock.json don't match, then
After
Now we can manually update the It'd be great, if |
as of npm@8.6.0 we validate that the shape of your dependency tree is valid when we reify, this means that if a dependency were removed entirely or the wrong version is somewhere, we will throw an error. this lays the groundwork for adding some further verifications, like |
@nlf @darcyclarke Does that mean that integrity vulnerability won't be fixed in near future? |
Motivation ("The Why")
A user was concerned that a malicious person could edit a lockfile to replace packages. This attack is interesting, because the default diff view in tools like GitHub commits view sometimes hide package-lock.json/shrinkwrap.json changes.
npm/cli#4447
They opened similar issues to pnpm and yarn.
pnpm/pnpm#4361
yarnpkg/berry#4136
Example
Complete examples are listed in npm/cli#4447
How
We currently use package-lock.json as a trusted state for which exact packages should be installed.
Desired Behaviour
There are specific types of inconsistencies that could be analyzed or caught when reifying, like validating registry mapping with config.
References
npm/cli#4447
pnpm/pnpm#4361
yarnpkg/berry#4136
The text was updated successfully, but these errors were encountered: