npm doesn't check package signatures, should www/npm print security alert?
Yuri
yuri at rawbw.com
Mon Mar 16 19:57:14 UTC 2015
www/npm downloads and installs packages without having signature
checking in place.
There is the discussion about package security
https://github.com/node-forward/discussions/issues/29 , but actual
checking isn't currently done.
Additionally, npm allows direct downloads of GitHub projects without any
authenticity checking or maintainer review, see documentation
https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install
githubname/reponame' can also be easily confused with the official
package name. Random GitHub projects can contain code without any
guarantees.
I think there is the risk that some malicious JavaScript code can be
injected through the MITM attack, and server side JavaScript is a fully
functional language.
Shouldn't www/npm at least print a security alert about this? It
probably shouldn't be used on production systems until package
authentication is in place.
Yuri
More information about the freebsd-security
mailing list