ethereumjs-monorepo icon indicating copy to clipboard operation
ethereumjs-monorepo copied to clipboard
verified publisher icon ethereumjs

Monorepo: Lockfile security

Open evertonfraga opened this issue 5 years ago • 2 comments

NPM is currently the sole responsible for checking the integrity of the packages. But in the case of a malicious package-lock.json being introduced, npm has limited reach.

So for a start, we should aim to never accept package-lock.json changes from external PRs.

For every other case, we should Lockfile-lint.

Thanks for bringing this up, @holgerd77.

evertonfraga avatar Aug 18 '20 14:08 evertonfraga

I guess this is still relevant.

holgerd77 avatar Jan 13 '22 18:01 holgerd77

nice, maybe can run this script as a preinstall script on the root package.json? e.g.:

"preinstall": "npm run lintLockfile",
"lintLockfile": "npx lockfile-lint --path package-lock.json --allowed-hosts npm --validate-https"

ryanio avatar Jan 13 '22 20:01 ryanio

Is this addressed in https://github.com/ethereumjs/ethereumjs-monorepo/pull/2201 ? CC @faustbrian

jochem-brouwer avatar Aug 26 '22 16:08 jochem-brouwer

Would say so @jochem-brouwer and rejecting such PRs should be up to the reviewer

faustbrian avatar Aug 26 '22 16:08 faustbrian

OK, will close.

jochem-brouwer avatar Aug 26 '22 16:08 jochem-brouwer