WrenSecurity
Verify (and possible mirror) NPM installers
As discussed in #24 the openam-ui-ria project pulls in an NPM installer via a Maven plugin. We need a way to verify the NPM installer we downloaded.
This might require adding functionality to the com.github.eirslett:frontend-maven-plugin plugin. NPM provides a list with hashes of the installers (SHASUMS256.txt) and has also signed this list (SHASUMS256.txt.asc).
@siepkes got your message about this, but am not sure if I'm the best one to take this on.
@Kortanul Didn't mean to imply you should take it on ;-). The FYI was more about this is something that is also of value for IDM and so that you are aware of this "hole" in our verification process.