On Mon, Mar 16, 2015, at 14:57, Yuri wrote: > www/npm downloads and installs packages without having signature > checking in place. > There is the discussion about package security > https://github.com/node-forward/discussions/issues/29 , but actual > checking isn't currently done. > > Additionally, npm allows direct downloads of GitHub projects without any > authenticity checking or maintainer review, see documentation > https://docs.npmjs.com/cli/install . Non-explicit syntax 'npm install > githubname/reponame' can also be easily confused with the official > package name. Random GitHub projects can contain code without any > guarantees. > > I think there is the risk that some malicious JavaScript code can be > injected through the MITM attack, and server side JavaScript is a fully > functional language. > > Shouldn't www/npm at least print a security alert about this? It > probably shouldn't be used on production systems until package > authentication is in place. > > Yuri >
This would require FreeBSD to modify npm code to inject this message, correct? Or do you just want a post-install message when the package is installed to remind FreeBSD users about it? It seems to me a scary warning patch should be sent upstream. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
