Motivation ("The Why")
This came up during one of the recent RFC meetings a couple weeks ago, and so just wanted to capture it for posterity. I also think it would be a nice feature to have for the security conscious among us.
Example
Whenever a command is run, like npm i that otherwise adds / updates installed packages on disk, if any package is NOT coming from a registry (e.g. a tarball URL), then a message should be presented to the user.
For example a package.json like this would trigger a message
{
"dependencies": {
"@babel/cli": "^7.4.0",
"eslint": "git+https://github.com/eslint/eslint.git"
}
}
I speculate that it might only need to apply to transitive dependencies because presumably as an author, if you are setting it for your direct dependencies in your own top-level package.json, then that was a conscious choice. Where as you have no control over what's at the end of that tarball URL if it's coming in through a transitive dependency.
How
Current Behaviour
There is no messaging about tarball URLs.
Desired Behaviour
An npm install going forward would message about tarball URLs.
% npm i
npm WARN deprecated coffee-script@1.12.7: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
npm WARN eslint installed from tarball URL <URL>
added xxx packages, and audited xxx packages in 8s
...
Additionally, is there value in having the operation fail if the user wants to opt-out of tarball URLs entirely? The rationale being that if the package is installed, but only a message is shown, and if that package is malicious, then it is already too late by that point to avoid any harm.
Some users may want to explicitly opt-out of any anything that does NOT come from a registry, and so the command should fail immediately at that point.
$ npm install --no-tarball-urls
References
Motivation ("The Why")
This came up during one of the recent RFC meetings a couple weeks ago, and so just wanted to capture it for posterity. I also think it would be a nice feature to have for the security conscious among us.
Example
Whenever a command is run, like
npm ithat otherwise adds / updates installed packages on disk, if any package is NOT coming from a registry (e.g. a tarball URL), then a message should be presented to the user.For example a package.json like this would trigger a message
{ "dependencies": { "@babel/cli": "^7.4.0", "eslint": "git+https://github.com/eslint/eslint.git" } }I speculate that it might only need to apply to transitive dependencies because presumably as an author, if you are setting it for your direct dependencies in your own top-level package.json, then that was a conscious choice. Where as you have no control over what's at the end of that tarball URL if it's coming in through a transitive dependency.
How
Current Behaviour
There is no messaging about tarball URLs.
Desired Behaviour
An npm install going forward would message about tarball URLs.
Additionally, is there value in having the operation fail if the user wants to opt-out of tarball URLs entirely? The rationale being that if the package is installed, but only a message is shown, and if that package is malicious, then it is already too late by that point to avoid any harm.
Some users may want to explicitly opt-out of any anything that does NOT come from a registry, and so the command should fail immediately at that point.
References