I'm interested why this is not the default behaviour. Would it break anything legit if npm would just simply switch to this behaviour? Are there any strong arguments against this?
I'm interested in use-cases where access to anything outside the current folder (the folder npm is called in) is justified and depended on.
How are packages with native dependencies build? Presumably that requires access to the compiler and libraries? (I don't know anything about npm works, so read those as real and not as rhetorical questions ;))
You also install Node.js scripts, that may just execute anything upon "require". "npm install --ignore-scripts" won't save you. But bash scripts... oh, yeah... lethal.
Maybe going with open solutions for package management will solve most of this problems. Like using git protocol to host ones libraries on github (or gitlab or bitbucket or anything where you can fetch dependencies and get to review the code). Of course, this is not that simple as it sounds.
Lol. Is there a single example of anyone ever making such an 'npm worm'? Regardless of what npm install can or can't do, if it's a malicious module then the actual module code will be a problem too.
If you are that paranoid or its that critical then you are going to have to review every single line of code, which almost no one ever does for libraries. And even so a library could always use the network to sneak more code onto the computer that you didn't authorize.
npm doesn't give any more permissions than any other program run by the user. It's a powerful tool. That isn't a reason for people to be scared of it in ordinary circumstances.
This is why I every time I install something that uses NPM, I create a dedicated user account for it.
Although even if NPM scripts only have access to files they need to access, the damage is bad enough (e.g. if some malicious dependency of a dependency of a dependency checks if it can find a DOM and if so siphon off a copy of every password field to the attacker, every user of your website has just been compromised even if your server's /usr/bin directory is safe).
In this amount of software people build and considering that really 90% of it is total crap, we'll never be secure unless we really be picky with what we use. But that does not work with our lazy nature and all that things about bicycles you hear (like not to invent one; why would I do something by myself if I can just use someone's else solution... duhhh).
We need better quality in our software, so we can trust it.
guess no one is maintainer of pypy packages. The security model of python module is also based on the the conviction that no one will dare be an asshole.
8 comments
[ 4.2 ms ] story [ 8.2 ms ] threadI'm interested in use-cases where access to anything outside the current folder (the folder npm is called in) is justified and depended on.
There are problems with NPM, for sure. Like dependency level, absence of possibility to review new releases, being rather closed than open (https://medium.com/@azerbike/i-ve-just-liberated-my-modules-...).
Maybe going with open solutions for package management will solve most of this problems. Like using git protocol to host ones libraries on github (or gitlab or bitbucket or anything where you can fetch dependencies and get to review the code). Of course, this is not that simple as it sounds.
If you are that paranoid or its that critical then you are going to have to review every single line of code, which almost no one ever does for libraries. And even so a library could always use the network to sneak more code onto the computer that you didn't authorize.
npm doesn't give any more permissions than any other program run by the user. It's a powerful tool. That isn't a reason for people to be scared of it in ordinary circumstances.
Although even if NPM scripts only have access to files they need to access, the damage is bad enough (e.g. if some malicious dependency of a dependency of a dependency checks if it can find a DOM and if so siphon off a copy of every password field to the attacker, every user of your website has just been compromised even if your server's /usr/bin directory is safe).
In this amount of software people build and considering that really 90% of it is total crap, we'll never be secure unless we really be picky with what we use. But that does not work with our lazy nature and all that things about bicycles you hear (like not to invent one; why would I do something by myself if I can just use someone's else solution... duhhh).
We need better quality in our software, so we can trust it.
/me thinks it is weak security