IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [npm]

npm is a package manager for Node.js

npm is a package manager for Node.js.

24 questions
16
votes
1 answer

Unpublished modules on npm: could an attacker take advantage of their former notoriety?

Earlier this week, Azer Koçulu decided to unpublish his modules from npm, the default package manager for Node.js. He had published 273 modules in total. Some major modules, like Babel and React, relied on one of them: left-pad, and a lot of npm…
Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
12
votes
3 answers

How to vet third-party developer packages

Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are some important questions to include in the form…
user277711
  • 123
  • 1
  • 4
8
votes
3 answers

Recent ESLint hack or how can we protect ourselves from installing malicious npm packages?

Recently, eslint-scope and eslint-config-eslint packages were hacked in an interesting way - one of the maintainer's account was compromised by an attacker and a new "patch" version with the malicious code was published to the npm registry. This…
alecxe
  • 1,515
  • 5
  • 19
  • 34
7
votes
2 answers

Are devDependencies in Node.js exploitable?

I am well aware that the best approach is to update any dependency, no matter whether it is a development dependency or a runtime/production dependency. But from a research prospective, I want to know whether a vulnerability in development…
LGDGODV
  • 143
  • 5
6
votes
1 answer

How do atom's apm and npm verify package integrity?

Are there built in verification methods to make sure the packages contain the correct code? Do they use a hash of some sort?
user
  • 817
  • 10
  • 16
5
votes
1 answer

How to deal with prototype pollution attack vulnerability in lodash?

lodash has been reported to be vulnerable to the so called prototype pollution attack in versions up to (excluding) 4.17.5 See https://nvd.nist.gov/vuln/detail/CVE-2018-3721 Now lodash is the most depended upon package in the JavaScript eco system.…
borisdiakur
  • 153
  • 1
  • 5
5
votes
1 answer

Malicious NPM Package - Does it fit into OWASP Top Ten 2017?

On various security forums I have seen links to a post about a fictive malicious NPM package harvesting information. The posts title: I’m harvesting credit card numbers and passwords from your site. Here’s how. The best quote in the post in my…
Ogglas
  • 677
  • 4
  • 12
  • 26
4
votes
0 answers

What are commonly used security practices when writing a hybrid mobile app with a framework like ionic 2?

I'm new to hybrid app development and web development in general. Are there common coding practices/techniques I can use to ensure that I write code which does not put the end user at risk of malicious software exploiting my app to cause harm? How…
ThisIsNotAnId
  • 141
  • 3
3
votes
2 answers

How much damage can a malicious package do with just "npm install "?

I had a typo and npm installed something that is similar in name to something very popular -- I was concerned about typosquatting. It's quite plausibly legitimate and just a coincidence. I looked at the corresponding package and didn't see…
user237586
  • 31
  • 1
3
votes
2 answers

How do I get the "vulnerabilities history" of a Node.js package?

When installing a Node.js package via npm or when running npm-audit I get information about known vulnerabilities of packages in the project. From my understanding this means that there must be some database somewhere that contains this…
pinas
  • 161
  • 8
3
votes
2 answers

Is it OK to not update devdependencies?

When checking third party libraries used in package.json and build.gradle files with tools such as Snyk, they allow the option to check for devdependencies. A lot of the time there is vulnerabilities for these dependencies. But if they are not…
vegedezozu
  • 93
  • 8
2
votes
1 answer

How can the validity and safety of a software library be checked?

So beyond looking at the source code for particular software library, is there a way to vet that it does not contain malicious code? As far as I know from my own research, services like pip, npm, and composer do not provide any assurances(Not that I…
Rehket
  • 23
  • 3
2
votes
1 answer

How is the create-react-app package tree properly sanitized?

React, and it's application creation script, create-react-app, are popular packages nowadays... and with good reason: React is a rock-star framework. From a security perspective, sanitizing all the packages that create-react-app installs seems to be…
kmiklas
  • 129
  • 3
1
vote
1 answer

How does npm’s ECDSA signing system improve security?

I have not been able to find a single page that actually explains how npm’s ECDSA signing system works. The closest I could find is the official documentation, but as far as I can tell from that documentation, this system is completely useless: a…
Brian Drake
  • 332
  • 1
  • 8
1
vote
2 answers

How to securely use `pass`, `sudo`, and `npm` on the same machine

TL;DR: running npm i ... not long after pass my-password allows a malicious package to steal my entire password store. I use pass as a password manager, on Linux. And like probably all Linux users, I use sudo to run commands as root. The first time…
Zwyx
  • 13
  • 2
1
2