Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RRFC] add message (or opt-out support) for non registry tarball URLs #581

Closed
thescientist13 opened this issue May 3, 2022 · 6 comments
Closed

Comments

@thescientist13
Copy link

Motivation ("The Why")

This came up during one of the recent RFC meetings a couple weeks ago, and so just wanted to capture it for posterity. I also think it would be a nice feature to have for the security conscious among us.

Example

Whenever a command is run, like npm i that otherwise adds / updates installed packages on disk, if any package is NOT coming from a registry (e.g. a tarball URL), then a message should be presented to the user.

For example a package.json like this would trigger a message

{
  "dependencies": {
    "@babel/cli": "^7.4.0",
    "eslint": "git+https://github.com/eslint/eslint.git"
  }
}

I speculate that it might only need to apply to transitive dependencies because presumably as an author, if you are setting it for your direct dependencies in your own top-level package.json, then that was a conscious choice. Where as you have no control over what's at the end of that tarball URL if it's coming in through a transitive dependency.

How

Current Behaviour

There is no messaging about tarball URLs.

Desired Behaviour

An npm install going forward would message about tarball URLs.

 % npm i     
npm WARN deprecated [email protected]: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
npm WARN eslint installed from tarball URL <URL>

added xxx packages, and audited xxx packages in 8s

...

Additionally, is there value in having the operation fail if the user wants to opt-out of tarball URLs entirely? The rationale being that if the package is installed, but only a message is shown, and if that package is malicious, then it is already too late by that point to avoid any harm.

Some users may want to explicitly opt-out of any anything that does NOT come from a registry, and so the command should fail immediately at that point.

$ npm install --no-tarball-urls

References

  • n/a
@ljharb
Copy link
Contributor

ljharb commented May 3, 2022

I would still want it on direct dependencies; i might set the flag in npmrc and a coworker might unknowingly install a direct non-registry dep.

@ljharb
Copy link
Contributor

ljharb commented May 3, 2022

The behavior I’d want is to configure either silent, warn, or fail the install. The non-semver-major default should be “nothing”, and probably in v9 should change to “warn”.

@darcyclarke darcyclarke added the Agenda will be discussed at the Open RFC call label May 11, 2022
@thescientist13
Copy link
Author

Some feedback from the call, prior to opening an RFC

  • warn by default for direct dependencies
  • hide by default for transitive dependencies
  • flag to enable deeper level of transparency + action-ability via flag (e.g. to fail the build, or at least warn about transitive dependencies, etc)

@darcyclarke darcyclarke removed the Agenda will be discussed at the Open RFC call label May 18, 2022
@darcyclarke darcyclarke added Agenda will be discussed at the Open RFC call and removed Agenda will be discussed at the Open RFC call labels May 25, 2022
@darcyclarke
Copy link
Contributor

Closing: discussion can/should move to the new RFC/PR (ref. #593)

@Andreitha22
Copy link

Gcvnkmnj

1 similar comment
@Andreitha22
Copy link

Gcvnkmnj

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants