-
Notifications
You must be signed in to change notification settings - Fork 664
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unnecessary components are included in final module bundle #960
Comments
This wouldn't work for the publishing workflow I use as I use the repo as the source of truth. The reason for this is that it allows me to know with absolute certainty what will be included in the published module/package and I won't be susceptible to any/all npm publishing bugs (yes, this happened in the past and is the reason I started doing things this way). I'm not aware of any solutions with npm that would allow me to easily take a tarball (e.g. from github), remove "unnecessary components", and then publish only what's left. |
From a security perspective: I am working with an enterprise client that uses Aquascan to scan Docker images before they are deployed. Several packages, including this one, are shipping test fixtures that contain private keys (https://github.com/mscdex/ssh2/tree/master/test/fixtures) are blocking some of our applications from being deployed, as they disallow images containing private keys from being deployed. The concern is that internal private keys are being stored insecurely in an internal Dockerhub. Scanning utilities don't discern between internal keys and test keys. We can add layers to our Dockerfile to remove these but it seems like a moving target in our pipeline. |
Huh? Run |
I agree with @bryanculver. Twistlock scans raise these private keys as a High severity issue. Given the security sensitive nature of an ssh library I think this will create problems for many, many adopters. |
@mscdex this hasnt been fixed, why was it closed as "completed"? |
@OmgImAlexis Because as I mentioned in the associated PR, I'm not interested in removing these files at this time. |
The
test
,examples
dirs, among some other configuration files are included in the published module. This increases the size of the overall package, and includes a lot of test fixtures in the final bundle that aren't needed for its functionality. Consider specifying the exact files to include in the bundle using the files attr in package.jsonThe text was updated successfully, but these errors were encountered: