🟢 Recommending npm install --ignore-scripts might provide a false sense of security #320
Open
Labels
Engineering
Task related to the Engineering Guide and/or pulled from the old Engineering Guide repo.
enhancement
New feature or request
Guides
Initiative 2
Tracks work for "Improving the Maintainability of the 18F Guides and Methods"
Comments
|
Hi @Gaelan! You're right, we probably need to revise this a bit. There's a small group of people working on guide maintenance right now and we could probably rewrite several dev guide pages. We will keep this issue around until we're ready to do the rewrites. Thanks for bringing this up! |
christophermather
added
the
Engineering
This was referenced Dec 22, 2023
christophermather
added
Initiative 2
amymok
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The JavaScript guidelines recommend using
npm install --ignore-scriptsto install unknown or new packages. That's not bad advice, but I worry that the text overemphasizes the risk of malicious scripts in particular, while not mentioning the possibility of malicious code in the package itself, which in many cases would allow an attacker to do exactly the same things — it's not great to imply that a package can be made safe by solely checking or disabling the scripts.It seems like the right advice to give involves a combination of technical measures like
--ignore-scripts, popularity/reputational signals (extremely popular packages are likely safe as they have lots of eyes on them; packages from well-known organizations are unlikely to be malicious as long as they're actually from that organization), and old-fashioned code review*, including making the same assessment for all dependencies.*of the code on npm — unless the package uses npm's new provenance feature, there's no guarantee what's on npm matches what's on GitHub.
The text was updated successfully, but these errors were encountered: