Verify the js-yaml package integrity #700
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LaurentGoderre
force-pushed
the
check-js-yaml
branch
from
5548857
to
13074fb
Compare
tianon
approved these changes
Jul 5, 2024
There was a problem hiding this comment.
I don't love the added /dist/ directory, but as noted in #700 (comment), the alternatives are probably very slightly worse (IMO) 👍
There is a minor nit with the checksum though that I think we should move up next to the JSYAML_VERSION variable since when one changes they both have to. If that checksum is published on a webpage somewhere, it'd also be helpful to make sure we're linking to that in a comment next to it (so that it's easier to figure out where it comes from if/when we update it).
|
I don't love the added dist either but couldn't get rid of it with the extract command alone. If I use sttip-components 2, the package.json doesn't get extracted |
LaurentGoderre
force-pushed
the
check-js-yaml
branch
from
13074fb
to
8c1c861
Compare
|
@tianon ok to merge? |
LaurentGoderre
force-pushed
the
check-js-yaml
branch
from
8c1c861
to
53e019a
Compare
yosifkit
reviewed
Oct 3, 2024
yosifkit
approved these changes
Oct 3, 2024
|
On a side note, https://registry.npmjs.org/js-yaml has some embedded signatures that we may want to verify in the future: "dist": {
"integrity": "sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==",
"shasum": "aff151b30bfdfa8e49e05da22e7415e9dfa37847",
"tarball": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz",
"fileCount": 37,
"unpackedSize": 283005,
"npm-signature": "-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJcp38bCRA9TVsSAnZWagAAhE0P/0hyn9bXVGMTE7DJSmeU\nxZMBBwOP6Ofyr6597JzDE/mpqUDnqRTbArd4Pf1FoM38YDIdoFcvSayCtyaA\nqTodzwt6UIw0ljoI7VnpiSq4S8Gbo6vKeEpbv4Gh6Jc9YHmNIJLfR/iNJ/Ti\np4oAfBogNdWhP6Oqb6Sp3OyF2IOvr7+q90IlkvfDk+pm3ZVF744CjZ0/6rZO\nX5UOWWQsF7bpZDsBV9MAQ+9ifHmHTSbDKsBFxOhnxSvZMSWgJnY8JHHbusk0\nWxCE+DJ9C9C7w+Li22inlNd7y+VNRzK2K3H7pJ0A+fSZp0sWePUuj+ObUarT\nJJU7HbkQT/VyyZdlaprl1GTSWEQdyxvT82fXgqXD3H6X1v5o9kSuKyJaNo8k\nDOFAYQhHBVfY2zMaT+S34uf1hKC9iQJq7kvQ65h/9DYlpcLkSCYhlaANx3V+\nuXdQHLlSRnZHgOaS8HvwVWsA5ZeFjS8xA58d671Li3LsXStZV0x0fgxDJYR0\nUU32uvth2/nCwLaxzPWDFA98FEpOU8/C5ywRk4JIJ1nGbP1qz7XtBwFnL6h4\nmewcAO1JgavPjkMe6qPmiw5jlZd0ebGCRdiaKGoPq1GXRnl+ctOeRSvyfUPf\nx2UNiVHRjzDb7PFpkW7KogNOkmN2TEIrJa3GKAT+GlLn8W0+lkUk/qCUeR5N\nIDd6\r\n=IAWU\r\n-----END PGP SIGNATURE-----\r\n",
"signatures": [
{
"keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
"sig": "MEQCICcyMFOpLvWhCJ6rfrqOhJurrDbHHY44FcmJBW04GRpUAiBVXUy35hdps/0FXT9SX3X6rsqOGLU6EbAm2HmGr4PRsw=="
}
]
}, |
LaurentGoderre
force-pushed
the
check-js-yaml
branch
from
53e019a
to
1e10aea
Compare
docker-library-bot
added a commit
to docker-library-bot/official-images
that referenced
this pull request
Oct 3, 2024
Changes: - docker-library/mongo@6b5b166: Merge pull request docker-library/mongo#700 from LaurentGoderre/check-js-yaml - docker-library/mongo@1e10aea: Verify the js-yaml package integrity
docker-library-bot
added a commit
to docker-library-bot/official-images
that referenced
this pull request
Oct 9, 2024
Changes: - docker-library/mongo@625c85c: Update 7.0-rc to 7.0.15-rc1 - docker-library/mongo@6b5b166: Merge pull request docker-library/mongo#700 from LaurentGoderre/check-js-yaml - docker-library/mongo@1e10aea: Verify the js-yaml package integrity
docker-library-bot
added a commit
to docker-library-bot/official-images
that referenced
this pull request
Oct 9, 2024
Changes: - docker-library/mongo@a47dd91: Update 8.0-rc - docker-library/mongo@c7174de: Update 8.0 to 8.0.1 - docker-library/mongo@625c85c: Update 7.0-rc to 7.0.15-rc1 - docker-library/mongo@6b5b166: Merge pull request docker-library/mongo#700 from LaurentGoderre/check-js-yaml - docker-library/mongo@1e10aea: Verify the js-yaml package integrity
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.