corepack icon indicating copy to clipboard operation
corepack copied to clipboard
verified publisher icon nodejs

Feature request: instructions on how to determine the hash for the `packageManager` field in `package.json`

Open bennettp123 opened this issue 2 years ago • 6 comments

The README.md states that "the hash is optional but strongly recommended as a security practice", but provides no guidance on how to determine an acceptable hash.

I can see hashes in config.json—and I can also see a workflow that updates them automatically—but it would be good to be able to easily determine the shasum for the version you're currently using.

bennettp123 avatar Jan 15 '23 11:01 bennettp123

A couple of options:

  1. npm show <npm|yarn|pnpm>@<version> dist.shasum will print the SHA-1 checksum. Or you could use the curl | jq commands in the workflow
  2. something like corepack show or corepack info that provides the necessary info (maybe even sha-224/sha-256/sha-512 instead of sha-1)

bennettp123 avatar Jan 15 '23 11:01 bennettp123

How about adding something like “corepack --save [email protected]” that writes to the package.json?

styfle avatar Jan 16 '23 20:01 styfle

The README.md states that "the hash is optional but strongly recommended as a security practice", but provides no guidance on how to determine an acceptable hash.

I think the official guidance is: package managers should provide this information, as there are no reliable ways of doing it yourself without trusting HTTPS + that the remote server wasn't hijacked, which kinda defeats the purpose of having a hash. That being said, the added hash still benefits other users and yourself if you ever clean up your cache, the relative security risk is worth taking. In that case, the unofficial guidance is to set a dummy hash (e.g. "packageManager": "[email protected]+sha224.deadbeef"), run Corepack, get the actual hash from the error message, and voilà.

How about adding something like “corepack --save [email protected]” that writes to the package.json?

I like the idea, it's of course not great from a security perspective but would be very practical – and folks who needs the extra security can still use a manual workflow.

aduh95 avatar Jan 16 '23 22:01 aduh95

How about adding something like “corepack --save [email protected]” that writes to the package.json?

In the case of Yarn we have yarn set version. It doesn't currently save the hash, but I'd like it to do that.

It'd be convenient to have something like this in Corepack (especially for package managers that don't have similar commands), but I'm a little worried that it would make the Yarn UX more confusing for Yarn users: should they use the Corepack command, or the Yarn one? What happens if a tutorial uses the Corepack command, but a user somehow doesn't have Corepack installed?

Ideally, I think I'd prefer if users didn't have to deal with Corepack at all once they have enabled it, so that their workflows stay exactly the same with / without.

arcanis avatar Jan 16 '23 23:01 arcanis

I'd prefer if users didn't have to deal with Corepack at all once they have enabled it

I already have to interact with corepack activate to install a global version for projects that don’t have packageManager defined.

I think a new command for corepack set pkg@version would be perfect 👍

styfle avatar Jan 17 '23 03:01 styfle

Would love this as well. I would like to place a SHA here, but don't want to burden future maintainers of my repo with having to figure out how to generate that SHA when they go to update the package manager... Either a command to provide it or just updating the docs would be helpful here.

Techn1x avatar Jun 05 '23 02:06 Techn1x

Addressed by #291 (which adds corepack use … and corepack up commands)

aduh95 avatar Feb 21 '24 05:02 aduh95