Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unnecessary components are included in final module bundle #960

Closed
cmdcarini opened this issue Dec 1, 2020 · 6 comments
Closed

Unnecessary components are included in final module bundle #960

cmdcarini opened this issue Dec 1, 2020 · 6 comments

Comments

@cmdcarini
Copy link

The test, examples dirs, among some other configuration files are included in the published module. This increases the size of the overall package, and includes a lot of test fixtures in the final bundle that aren't needed for its functionality. Consider specifying the exact files to include in the bundle using the files attr in package.json
@mechinn mechinn mentioned this issue Feb 9, 2021
Closed
@mscdex
Copy link
Owner

mscdex commented Apr 26, 2021

This wouldn't work for the publishing workflow I use as I use the repo as the source of truth. The reason for this is that it allows me to know with absolute certainty what will be included in the published module/package and I won't be susceptible to any/all npm publishing bugs (yes, this happened in the past and is the reason I started doing things this way).

I'm not aware of any solutions with npm that would allow me to easily take a tarball (e.g. from github), remove "unnecessary components", and then publish only what's left.

@bryanculver
Copy link

From a security perspective: I am working with an enterprise client that uses Aquascan to scan Docker images before they are deployed. Several packages, including this one, are shipping test fixtures that contain private keys (https://github.com/mscdex/ssh2/tree/master/test/fixtures) are blocking some of our applications from being deployed, as they disallow images containing private keys from being deployed. The concern is that internal private keys are being stored insecurely in an internal Dockerhub. Scanning utilities don't discern between internal keys and test keys.

We can add layers to our Dockerfile to remove these but it seems like a moving target in our pipeline.

@OmgImAlexis
Copy link

The reason for this is that it allows me to know with absolute certainty what will be included in the published module/package

Huh? Run npm pack that'll give you exactly what's published.

@phaumer
Copy link

phaumer commented Mar 12, 2022
edited
Loading

I agree with @bryanculver. Twistlock scans raise these private keys as a High severity issue. Given the security sensitive nature of an ssh library I think this will create problems for many, many adopters.

@mscdex mscdex mentioned this issue Mar 29, 2022
Closed
@mscdex mscdex closed this as completed Dec 23, 2023
@OmgImAlexis
Copy link

@mscdex this hasnt been fixed, why was it closed as "completed"?

image

@mscdex
Copy link
Owner

mscdex commented Dec 26, 2023

@OmgImAlexis Because as I mentioned in the associated PR, I'm not interested in removing these files at this time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bryanculver @mscdex @phaumer @OmgImAlexis @cmdcarini