www/npm downloads and installs packages without having signature
checking in place.
There is the discussion about package security
https://github.com/node-forward/discussions/issues/29 , but actual
checking isn't currently done.
Additionally, npm allows direct downloads of GitHub projects without any
authenticity checking or maintainer review, see documentation
https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install
githubname/reponame' can also be easily confused with the official
package name. Random GitHub projects can contain code without any
guarantees.
I think there is the risk that some malicious JavaScript code can be
injected through the MITM attack, and server side JavaScript is a fully
functional language.
Shouldn't www/npm at least print a security alert about this? It
probably shouldn't be used on production systems until package
authentication is in place.
Yuri
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
