npm doesn't check package signatures, should www/npm print security alert?

Mark Felder feld at FreeBSD.org
Mon Mar 16 20:05:54 UTC 2015



On Mon, Mar 16, 2015, at 14:57, Yuri wrote:
> www/npm downloads and installs packages without having signature 
> checking in place.
> There is the discussion about package security 
> https://github.com/node-forward/discussions/issues/29 , but actual 
> checking isn't currently done.
> 
> Additionally, npm allows direct downloads of GitHub projects without any 
> authenticity checking or maintainer review, see  documentation 
> https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install 
> githubname/reponame' can also be easily confused with the official 
> package name. Random GitHub projects can contain code without any 
> guarantees.
> 
> I think there is the risk that some malicious JavaScript code can be 
> injected through the MITM attack, and server side JavaScript is a fully 
> functional language.
> 
> Shouldn't www/npm at least print a security alert about this? It 
> probably shouldn't be used on production systems until package 
> authentication is in place.
> 
> Yuri
>

This would require FreeBSD to modify npm code to inject this message,
correct? Or do you just want a post-install message when the package is
installed to remind FreeBSD users about it?

It seems to me a scary warning patch should be sent upstream.


More information about the freebsd-security mailing list