Questions tagged [npm]
npm is a package manager for Node.js
32 questions
1
vote
2
answers
94
views
Does npm (Node.js package manager) provide cryptographic authentication and integrity validation?
Does the npm package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing ...
- 1,166
3
votes
1
answer
174
views
Is it wise to skip frequent NPM dependency updates in light of recent supply-chain attacks?
In recent days, a significant number of NPM packages got compromised in quite sophisticated, worm-like supply chain attacks (cf https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-...
- 417
1
vote
1
answer
164
views
How to securely build code from the internet on my servers?
I need to create a build server which will clone code from GitHub (npm repositories) and then build an OCI image using Buildpack or Nixpack. I am currently researching how to achieve this securely ...
- 113
1
vote
1
answer
142
views
How can authenticity be ensured for Node.js packages when using a public registry like npmjs.com?
I was thinking about how to ensure the authenticity of Node.js packages that are installed from a public registry like npmjs.com. The only mechanisms (optionally) in place to my understanding are:
...
- 7,715
1
vote
2
answers
1k
views
How serious are npm module vulnerabilities?
Obviously any known vulnerabilities are not great, but I'm curious how much I should be concerned about them.
I've seen plenty of articles that talk about the rise in malware/spam in npm packages:
...
- 11
2
votes
1
answer
513
views
Where to query for CVEs present in a version of a software project like npm packages of python modules?
In node, I can run npm audit and it will show me known vulnerabilities for the versions my dependencies are using.
That's cool and all, but I'd like to be able to do the following, on some website or ...
- 21
1
vote
1
answer
209
views
How is the npm package manager made robust security-wise, what are the keys they are using, and how do they use them?
I am specifically looking at the npm package metadata like from the lodash package, the relevant part which is this:
{
"shasum": "392617f69a947e40cec7848d85fcc3dd29d74bc5",
&...
- 726
2
votes
0
answers
592
views
Is there a database that classifies NPM library vulnerabilities as exploitable vs. benign in the browser?
I maintain several Angular apps, which contain thousands of dependencies on NPM packages. GitHub's Dependabot notifies me of new known vulnerabilities every week (from the CVE database).
For example, ...
- 121
1
vote
0
answers
680
views
Restrict node.js filesystem access
I have a Node.js app which has a lot of npm-dependencies, running on Linux (Centos) machine.
When Node starts, the script has access to the files outside its directory (as least by default), so ...
- 309
2
votes
1
answer
306
views
Basically only 2 ways of npm supply chain attacks?
Almost every week you can read about attacks performed through compromised npm libraries. The npm ecosystem is vast and unmanageable and for it-sec people it is frustrating to deal with all the ...
- 33
3
votes
1
answer
534
views
How does npm’s ECDSA signing system improve security?
I have not been able to find a single page that actually explains how npm’s
ECDSA signing system works.
The closest I could find is the official documentation, but as far as I can
tell from that ...
- 352
1
vote
2
answers
298
views
How to securely use `pass`, `sudo`, and `npm` on the same machine
TL;DR: running npm i ... not long after pass my-password allows a malicious package to steal my entire password store.
I use pass as a password manager, on Linux. And like probably all Linux users, I ...
- 113
12
votes
3
answers
5k
views
How to vet third-party developer packages
Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are ...
- 123
1
vote
1
answer
406
views
Is there a way to check if vulnerability introduced by npm package is reachable/exploitable
I have a problem where I have too many vulnerabilities on a few hundred repositories introduced with outdated npm packages. The issue is that I need to find a way to prioritize this. The biggest pain ...
- 11
12
votes
2
answers
5k
views
Are devDependencies in Node.js exploitable?
I am well aware that the best approach is to update any dependency, no matter whether it is a development dependency or a runtime/production dependency.
But from a research prospective, I want to know ...
- 193