npm doesn't check package signatures, should www/npm print security alert?
Yuri
yuri at rawbw.com
Mon Mar 16 20:10:34 UTC 2015
On 03/16/2015 13:05, Mark Felder wrote:
> This would require FreeBSD to modify npm code to inject this message,
> correct? Or do you just want a post-install message when the package is
> installed to remind FreeBSD users about it?
>
> It seems to me a scary warning patch should be sent upstream.
I meant post-install message.
pkg and ports nicely check package signatures or fingerprints, but then
npm defeats this outright, if installed.
Yuri
More information about the freebsd-security
mailing list