Date: Mon, 16 Mar 2015 12:57:07 -0700 From: Yuri <yuri@rawbw.com> To: freebsd-security@freebsd.org Subject: npm doesn't check package signatures, should www/npm print security alert? Message-ID: <55073593.50108@rawbw.com>
next in thread | raw e-mail | index | archive | help
www/npm downloads and installs packages without having signature checking in place. There is the discussion about package security https://github.com/node-forward/discussions/issues/29 , but actual checking isn't currently done. Additionally, npm allows direct downloads of GitHub projects without any authenticity checking or maintainer review, see documentation https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install githubname/reponame' can also be easily confused with the official package name. Random GitHub projects can contain code without any guarantees. I think there is the risk that some malicious JavaScript code can be injected through the MITM attack, and server side JavaScript is a fully functional language. Shouldn't www/npm at least print a security alert about this? It probably shouldn't be used on production systems until package authentication is in place. Yuri
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55073593.50108>