Replies: 1 comment 2 replies
-
|
some prior art to consider here is https://github.com/lirantal/lockfile-lint by @lirantal. i've been using this in a lot of my projects specifically for this reason. |
Beta Was this translation helpful? Give feedback.
-
LGTM, after all, this is a third-party tool, it would be better if npm provided such a feature |
Beta Was this translation helpful? Give feedback.
-
|
very much agree that it would be great to be a core feature. just highlighting as a reference if it gets that far. hopefully also helps in the meantime for folks looking for protection now |
Beta Was this translation helpful? Give feedback.
-
When our project depends a lot,
package-lock.jsonwill become very large.This will cause a lot of changes in
package-lock.jsonwhen adding a new dependency.This makes it difficult for us to review
package-lock.jsonLet's Imagine:
We currently using
https://registry.npmjs.orginpackage-lock.jsonNow, a new contributor initiate a PR and update
package-lock.json, and it quietly changed one of its dependent's registry tohttps://unknown.registry.com. This domain name is a domain name prepared by the hacker. It has altered the dependent'spostinstallhook. When npm downloads this dependency, it can execute the hook functionpostinstall.This is a disaster for anyone.So we need a whitelist mechanism to download only trusted registries.
Beta Was this translation helpful? Give feedback.
All reactions