-
-
Notifications
You must be signed in to change notification settings - Fork 451
Safer installation with npm of lodestar-cli #3596
Copy link
Copy link
Open
Labels
good first issueIssues that are suitable for first-time contributors.Issues that are suitable for first-time contributors.help wantedThe author indicates that additional help is wanted.The author indicates that additional help is wanted.meta-investigateIssues found that require further investigation and may not have a specific resolution/fixIssues found that require further investigation and may not have a specific resolution/fixprio-mediumResolve this some time soon (tm).Resolve this some time soon (tm).scope-securityIssues that fix security issues: DOS, key leak, CVEs.Issues that fix security issues: DOS, key leak, CVEs.
Description
Metadata
Metadata
Assignees
Labels
good first issueIssues that are suitable for first-time contributors.Issues that are suitable for first-time contributors.help wantedThe author indicates that additional help is wanted.The author indicates that additional help is wanted.meta-investigateIssues found that require further investigation and may not have a specific resolution/fixIssues found that require further investigation and may not have a specific resolution/fixprio-mediumResolve this some time soon (tm).Resolve this some time soon (tm).scope-securityIssues that fix security issues: DOS, key leak, CVEs.Issues that fix security issues: DOS, key leak, CVEs.
Describe the bug
Doing
is unsafe to dependency attacks, since the yarn.lock is not considered for dependency resolution.
Expected behavior
For npm installations, generate a package-lock.json (with https://github.com/imsnif/synp for example) and then generate a shrinkwrap file (see https://docs.npmjs.com/cli/v8/commands/npm-shrinkwrap). The shrinkwrap should take precedence on installation. This generation should happen in CI when publishing.
For yarn installations: investigate
TODO
To reduce the attack surface we should count who many individual authors we rely on and minimize that number and / or ensure we have a sufficient level of confidence towards them.