-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check that integrity hashes match hashes from NPM #2558
Comments
I don't fully understand this issue but I did find this stack overflow page while researching it. Is this related/helpful?
|
Thanks @esizer, but I think that is unrelated and this is still outstanding, as evidenced by this npm issue which has not been getting any love: npm/cli#4460 (comment) As someone who used to work with reproducible build systems and processes for high-stakes security software like Tor and TailsOS, I find the npm team response to this issue quite disappointing. RecommendationI'd suggest we don't remediate this downstream in our repo, and instead just try to move to using |
Yikes, so they don't validate integrity hashes? 😱 Okay, then yeah that is not good for us :(
Agreed, if yarn is doing proper validations then I agree to move to it. I prefer yarn anyway 😏 |
@esizer What about pnpm, will this solve this issue? |
Definitely https://pnpm.io/npmrc#verify-store-integrity |
Re-ticketed from #2414 (comment)
Currently, we're checking that (1) integrity hashes exist in our lockfile and (2) that they're validly formed. We're not checking that they (3) match the files in our node_modules, nor if (4) those hashes match those from NPM (our local cache could be corrupted). This focusses on (4).
(This should use external packages when possible)
The text was updated successfully, but these errors were encountered: