Date: Mon, 16 Mar 2015 15:05:52 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: npm doesn't check package signatures, should www/npm print security alert? Message-ID: <1426536352.4157462.241176113.7D625599@webmail.messagingengine.com> In-Reply-To: <55073593.50108@rawbw.com> References: <55073593.50108@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 16, 2015, at 14:57, Yuri wrote: > www/npm downloads and installs packages without having signature > checking in place. > There is the discussion about package security > https://github.com/node-forward/discussions/issues/29 , but actual > checking isn't currently done. > > Additionally, npm allows direct downloads of GitHub projects without any > authenticity checking or maintainer review, see documentation > https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install > githubname/reponame' can also be easily confused with the official > package name. Random GitHub projects can contain code without any > guarantees. > > I think there is the risk that some malicious JavaScript code can be > injected through the MITM attack, and server side JavaScript is a fully > functional language. > > Shouldn't www/npm at least print a security alert about this? It > probably shouldn't be used on production systems until package > authentication is in place. > > Yuri > This would require FreeBSD to modify npm code to inject this message, correct? Or do you just want a post-install message when the package is installed to remind FreeBSD users about it? It seems to me a scary warning patch should be sent upstream.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1426536352.4157462.241176113.7D625599>