Skip to content

security: remove package-lock.json #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 3, 2022
Merged

security: remove package-lock.json #141

merged 3 commits into from
Jun 3, 2022

Conversation

Uzlopak
Copy link
Collaborator

@Uzlopak Uzlopak commented Apr 14, 2022

remove package-lock.json set .npmrc to not create package-lock.json files, ignore package-lock.json in .npmignore to avoid publishing a package with package-lock.json, gitignore package-lock.json

We could be prone to a supply-chain-attack when we not carefully review changes in the package-lock.json. urls to packages could be changed to malicious variants. To avoid this, we disable the generation package-lock.json. We should not accept any PRs with package-lock.json.

Uzlopak added 2 commits April 14, 2022 13:59
@Uzlopak
remove package-lock.json and set .npmrc to not create package-lock.js…
34bbd0f 
…on files, ignore package-lock.json in .npmignore to avoid publishing a package with package-lock.json, gitignore package-lock.json

We could be prone to a supply-chain-attack when we not carefully review changes in the package-lock.json. urls to packages could be changed to malicious variants. To avoid this, we disable the generation package-lock.json. We should not accept any PRs with package-lock.json.
@Uzlopak
use npm i instad of npm ci in workflows
d0a14d7
@Uzlopak
Copy link
Collaborator Author

Uzlopak commented Apr 14, 2022

In #140 sinon gets updated while patching the code. While updating a package is not an issue, reviewing the package-lock.json is a pain in the ass and also a reviewer could be negligent and just merge without looking twice. So to avoid that we get some attack vector by a overlooked change in the package-lock.json we should absolutely not use package-lock.json

@HappyZombies
Copy link
Member

I am with you.

The biggest issue for me is that it causes package-lock changes to appear in random commits, which can lead to merge conflicts. It also can introduces security vulnerabilities.

https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/

So +1 to remove it

@jorenvandeweyer what do you think?

@jankapunkt
Copy link
Member

But isn't security the very reason for lockfile, so there is no auto-install of new malicious packages that were hijacked and published? ALso does the lockfile show the dependencies integrity (sha512 sum) and I think we should rather think about a lockfile lint and accept lockfile updates only in combination with dependency version updates.

@jankapunkt
Copy link
Member

dependabot also uses package-lock.json so we should rather keep it and make sure nothing bad slips in.

@Uzlopak
Copy link
Collaborator Author

Uzlopak commented Jun 2, 2022

in mongoose, we dont use package-lock.json and dependabot works as expected :)

@jankapunkt
Copy link
Member

@Uzlopak thank you for this hint. So, from my understanding we can basically "pin" versions in package.json instead, right!? I just checked the mongoose repo and saw this in package.json:

  "dependencies": {
    "bson": "^4.6.2",
    "kareem": "2.3.5",
    "mongodb": "4.5.0",
    "mpath": "0.9.0",
    "mquery": "4.0.3",
    "ms": "2.1.3",
    "sift": "16.0.0"
  },

All packages, besides bson are pinned. Is there a reason for bson not to be pinned? From my understanding, supply-chain attacks are possible (like that one with ua-parser), because of the unpinned versions (the carrot of trust, ^) causing automacic installation of a newly published, hijacked package. Therefore we should make all our versions in package.json fixed / pinned, and so should this bson be, too, right?

I just try to understand this, before simply copying this technique. From that point I would propose for this PR to pin all the versions of dependencies and devDependencies.

@Uzlopak
Copy link
Collaborator Author

Uzlopak commented Jun 2, 2022

Strange. Will pin down the bson version in mongoose.

@HappyZombies
Copy link
Member

HappyZombies commented Jun 2, 2022
edited
Loading

Lol nice, inadvertently found a small "bug" in mongoose.

@Uzlopak
Copy link
Collaborator Author

Uzlopak commented Jun 2, 2022

image

jankapunkt
jankapunkt approved these changes Jun 3, 2022
View reviewed changes
Copy link
Member

@jankapunkt jankapunkt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I will pin the versions in development and release-4.2.0

@jankapunkt jankapunkt merged commit 7050a91 into node-oauth:development Jun 3, 2022
@Uzlopak Uzlopak deleted the remove-package-lock-json branch June 3, 2022 11:22
@jankapunkt jankapunkt mentioned this pull request Jun 3, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jankapunkt jankapunkt jankapunkt approved these changes

@HappyZombies HappyZombies Awaiting requested review from HappyZombies

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Uzlopak @HappyZombies @jankapunkt