Full-offline installation #16
Replies: 2 comments 6 replies
-
This tool does 2 things:
None of this is strictly security. The security provided for you is the ability to turn off running all postinstall scripts, even the unexpected ones. You might as well manually allow all existing scripts. The security value-add is in not running scripts that weren't there yesterday. This command is merely helping you narrow down what you'll run to make the allowlist shorter. It doesn't do any security and should only be run by the developer who's configuring the allowlist of scripts. The http request is there to fetch the latest research even if you installed the CLI much earlier. And it populates a set of all packages with scripts that can be periodically added to the todo for research. No information provided by this package has security impact. There's nothing to compromise here. You get compromised if you run a malicious script that was added to a package that didn't have one before. |
Beta Was this translation helpful? Give feedback.
-
Fwiw, unless I misread the code, this tool will leak all used packages to the web service. This could include internal package names, enabling industrial espionnage and supply chain attacks if these package names are leaked by the web service somehow. There should be a flag to only use the local data, without ever reaching out to the web service. Either that or never including package names in the request made to the web service. |
Beta Was this translation helpful? Give feedback.
-
I love the concept and idea of this tool. However, when doing an audit of the code, I find that there's a heavy does of irony.
This package is meant to be used to -tighten- the security of applications by being able to install or npm packages without running scripts. However, the CLI as it stands makes web requests for its data. That web request opens this package up to a much wider attack surface: instead of merely compromising this package, one could compromise the website that this package contacts. That's a much more serious vulnerability because it would allow compromising prior versions of this package without requiring a new release.
I would suggest a hardened version of this package be developed. One that is nothing but the CLI (CLI users shouldn't need to download the research, public or api directories at all) and that doesn't make any on-demand web requests.
Beta Was this translation helpful? Give feedback.
All reactions