Are there built in verification methods to make sure the packages contain the correct code? Do they use a hash of some sort?
Asked
Active
Viewed 687 times
1 Answers
1
According to npm issue #6886, there is a system for validating the contents of packages via any checksum or hashing system.
Quote from GitHub user othiym23:
npm has included validation of the package tarballs, via their SHA-1 digests, since pretty much the beginning. It's worth pointing out, though, that this is intended as a verification measure to ensure that the package tarball has been correctly downloaded from the registry; it's not meant to protect against substitution attacks.
So, while the data is verified to be the SAME data that came from the npm server, there is no way of validating whether or not the code being delivered from the server is the code you expect (e.g. no system in place for validating the package with your own trusted hash).
There appears to be some checking of validation in the source code, however, the source also reveals that there is NO integrity validation for Git repository based npm package fetches.
You can find the logic for this condition on line ~120 in this file.
Patrick Bell
- 226
- 1
- 6