npm doesn't check package signatures, should www/npm print security alert?
Mark Felder
feld at FreeBSD.org
Mon Mar 16 20:05:54 UTC 2015
On Mon, Mar 16, 2015, at 14:57, Yuri wrote:
> www/npm downloads and installs packages without having signature
> checking in place.
> There is the discussion about package security
> https://github.com/node-forward/discussions/issues/29 , but actual
> checking isn't currently done.
>
> Additionally, npm allows direct downloads of GitHub projects without any
> authenticity checking or maintainer review, see documentation
> https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install
> githubname/reponame' can also be easily confused with the official
> package name. Random GitHub projects can contain code without any
> guarantees.
>
> I think there is the risk that some malicious JavaScript code can be
> injected through the MITM attack, and server side JavaScript is a fully
> functional language.
>
> Shouldn't www/npm at least print a security alert about this? It
> probably shouldn't be used on production systems until package
> authentication is in place.
>
> Yuri
>
This would require FreeBSD to modify npm code to inject this message,
correct? Or do you just want a post-install message when the package is
installed to remind FreeBSD users about it?
It seems to me a scary warning patch should be sent upstream.
More information about the freebsd-security
mailing list