-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RRFC] add message (or opt-out support) for non registry tarball URLs #581
Comments
I would still want it on direct dependencies; i might set the flag in npmrc and a coworker might unknowingly install a direct non-registry dep. |
The behavior I’d want is to configure either silent, warn, or fail the install. The non-semver-major default should be “nothing”, and probably in v9 should change to “warn”. |
Some feedback from the call, prior to opening an RFC
|
Closing: discussion can/should move to the new RFC/PR (ref. #593) |
Gcvnkmnj |
1 similar comment
Gcvnkmnj |
Motivation ("The Why")
This came up during one of the recent RFC meetings a couple weeks ago, and so just wanted to capture it for posterity. I also think it would be a nice feature to have for the security conscious among us.
Example
Whenever a command is run, like
npm i
that otherwise adds / updates installed packages on disk, if any package is NOT coming from a registry (e.g. a tarball URL), then a message should be presented to the user.For example a package.json like this would trigger a message
I speculate that it might only need to apply to transitive dependencies because presumably as an author, if you are setting it for your direct dependencies in your own top-level package.json, then that was a conscious choice. Where as you have no control over what's at the end of that tarball URL if it's coming in through a transitive dependency.
How
Current Behaviour
There is no messaging about tarball URLs.
Desired Behaviour
An npm install going forward would message about tarball URLs.
Additionally, is there value in having the operation fail if the user wants to opt-out of tarball URLs entirely? The rationale being that if the package is installed, but only a message is shown, and if that package is malicious, then it is already too late by that point to avoid any harm.
Some users may want to explicitly opt-out of any anything that does NOT come from a registry, and so the command should fail immediately at that point.
References
The text was updated successfully, but these errors were encountered: