Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not suggest npm install lodestar in guides, only dockerhub #4113

Closed
2 tasks done
dapplion opened this issue Jun 3, 2022 · 2 comments
Closed
2 tasks done

Do not suggest npm install lodestar in guides, only dockerhub #4113

dapplion opened this issue Jun 3, 2022 · 2 comments
Assignees
@philknows
Labels
prio-high Resolve issues as soon as possible. scope-documentation All issues related to the Lodestar documentation.
Milestone
Audit 2022Q2-batch1

Comments

@dapplion
Copy link
Contributor

dapplion commented Jun 3, 2022
edited by wemeetagain

NPM dependencies suffer from supply chain attacks. We protect users against those with locked dependencies on repo installs (yarn.lock) + dependabot updates.

Due to this we should encourage users to only run pre-built docker images since those are guaranteed to install a pre-veted set of safe dependencies.

TODO
@dapplion dapplion added prio-high Resolve issues as soon as possible. scope-documentation All issues related to the Lodestar documentation. audit-2022Q2 and removed audit-2022Q2 labels Jun 3, 2022
@dapplion dapplion added this to the Audit 2022Q2-batch1 milestone Jun 3, 2022
@philknows philknows self-assigned this Jun 4, 2022
@philknows philknows mentioned this issue Jun 4, 2022
Merged
@philknows
Copy link
Member

Is the warning note on the documentation itself or are there any other warning methods we should include with NPM installation @dapplion ?

@dapplion
Copy link
Contributor Author

dapplion commented Jun 7, 2022

That's good!

@dapplion dapplion closed this as completed Jun 7, 2022
@ghost ghost mentioned this issue Mar 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philknows philknows

Labels
prio-high Resolve issues as soon as possible. scope-documentation All issues related to the Lodestar documentation.
Projects
None yet
Milestone
Audit 2022Q2-batch1
Development

No branches or pull requests
2 participants
@dapplion @philknows