Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check that integrity hashes match hashes from NPM #2558

Closed
patcon opened this issue Apr 25, 2022 · 5 comments
Closed

Check that integrity hashes match hashes from NPM #2558

patcon opened this issue Apr 25, 2022 · 5 comments
Labels
security Related to app security. tooling Tooling, automation and CI to support development.

Comments

@patcon
Copy link
Contributor

patcon commented Apr 25, 2022

Re-ticketed from #2414 (comment)

Currently, we're checking that (1) integrity hashes exist in our lockfile and (2) that they're validly formed. We're not checking that they (3) match the files in our node_modules, nor if (4) those hashes match those from NPM (our local cache could be corrupted). This focusses on (4).

(This should use external packages when possible)

  • validate cached integrity hash matches hash on npmjs
    • the cached tarball and cached checksum could match, but it might not be the contents from npm. we don't confirm that yet
@patcon patcon added tooling Tooling, automation and CI to support development. security Related to app security. labels Apr 25, 2022
@patcon patcon mentioned this issue Apr 25, 2022
Closed
8 tasks
@esizer
Copy link
Member

esizer commented Jul 20, 2022

I don't fully understand this issue but I did find this stack overflow page while researching it. Is this related/helpful?

Honestly - no. NPM is the distribution service, and you'd need to trust it to deliver an integrity check. If you trust it, and you have your https root certificates setup correctly (aka no mitm), then you can trust the files it delivers.

Ref: https://stackoverflow.com/questions/57667640/is-there-a-way-to-assure-the-integrity-of-a-published-npm-packages-using-hashes

@patcon
Copy link
Contributor Author

patcon commented Dec 12, 2022
edited
Loading

Thanks @esizer, but I think that is unrelated and this is still outstanding, as evidenced by this npm issue which has not been getting any love: npm/cli#4460 (comment)

As someone who used to work with reproducible build systems and processes for high-stakes security software like Tor and TailsOS, I find the npm team response to this issue quite disappointing.

Recommendation

I'd suggest we don't remediate this downstream in our repo, and instead just try to move to using yarn asap (which as I understand, doesn't have these issues with integrity checksums.

@esizer
Copy link
Member

esizer commented Dec 12, 2022

As someone who used to work with reproducible build systems and processes for high-stakes security software like Tor and TailsOS, I find the npm team response to this issue quite disappointing.

Yikes, so they don't validate integrity hashes? 😱 Okay, then yeah that is not good for us :(

I'd suggest we don't remediate this downstream in our repo, and instead just try to move to using yarn asap (which as I understand, doesn't have these issues with integrity checksums.

Agreed, if yarn is doing proper validations then I agree to move to it. I prefer yarn anyway 😏

@tristan-orourke tristan-orourke mentioned this issue Jan 12, 2023
Closed
9 tasks
@mnigh
Copy link
Contributor

mnigh commented Feb 23, 2024

@esizer What about pnpm, will this solve this issue?

@esizer
Copy link
Member

esizer commented Feb 23, 2024

@esizer What about pnpm, will this solve this issue?

Definitely https://pnpm.io/npmrc#verify-store-integrity

@tristan-orourke tristan-orourke closed this as not planned Won't fix, can't repro, duplicate, stale Mar 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Related to app security. tooling Tooling, automation and CI to support development.
Projects
GC Digital Talent
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@patcon @mnigh @esizer @tristan-orourke