Attachment #154447 for bug #198653

View | Details | Raw Unified | Return to bug 198653
Collapse All | Expand All

Lines 3-8 Link Here

(-)www/npm/Makefile (+3 lines)
3		3
4	PORTNAME= npm	4	PORTNAME= npm
5	PORTVERSION= 2.7.0	5	PORTVERSION= 2.7.0
		6	PORTREVISION= 1
6	CATEGORIES= www	7	CATEGORIES= www
7	MASTER_SITES= LOCAL/sunpoet	8	MASTER_SITES= LOCAL/sunpoet
8		9
Lines 11-16 Link Here
11		12
12	LICENSE= MIT	13	LICENSE= MIT
13		14
		15	SUB_FILES= pkg-message
		16
14	OPTIONS_SINGLE= BACKEND	17	OPTIONS_SINGLE= BACKEND
15	OPTIONS_SINGLE_BACKEND= IOJS NODE NODE_DEVEL NODE010	18	OPTIONS_SINGLE_BACKEND= IOJS NODE NODE_DEVEL NODE010
16	OPTIONS_DEFAULT=NODE	19	OPTIONS_DEFAULT=NODE




======================================================================
You have installed NPM, Node Package Manager.

** SECURITY ADVISORY: INSTALLED PACKAGES AUTHENTICITY NOT VERIFIED **

Please note that npm downloads packages from https://npmjs.com server
without verifying their authenticity. This makes your system
vulnerable to the MITM (man-in-the-middle) attacks. Attackers can
potentially impersonate https://npmjs.com server, and transparently
substitute legitimate packages with malicious ones. Npm running on
this system will not be able to detect such situation, and attackers
can potentially gain control over this, and connected to it systems.

** SECURITY ADVISORY: NPM ALLOWS SEAMLESS DOWNLOADS OF RANDOM CODE **

Please note that npm allows to download and install unverified code
from arbitrary GitHub projects with innocently looking commands. Such
projects can contain arbitrary code, which may turn out to be
malicious. No verification, testing, or approval of such code is done
by NPM administrators, or by FreeBSD maintainers. Such code can allow
attackers to potentially gain control over this, and connected to it
systems.

NPM is not recommended for use on production systems because of the
above security concerns. Please exercise extreme caution if you have
to use npm, or any other packages that use npm.

USE NPM AT YOUR OWN RISK!
======================================================================

Return to bug 198653

Line 0 Link Here

(-)www/npm/files/pkg-message.in (+29 lines)
	1	======================================================================
	2	You have installed NPM, Node Package Manager.
	3
	4	SECURITY ADVISORY: INSTALLED PACKAGES AUTHENTICITY NOT VERIFIED
	5
	6	Please note that npm downloads packages from https://npmjs.com server
	7	without verifying their authenticity. This makes your system
	8	vulnerable to the MITM (man-in-the-middle) attacks. Attackers can
	9	potentially impersonate https://npmjs.com server, and transparently
	10	substitute legitimate packages with malicious ones. Npm running on
	11	this system will not be able to detect such situation, and attackers
	12	can potentially gain control over this, and connected to it systems.
	13
	14	SECURITY ADVISORY: NPM ALLOWS SEAMLESS DOWNLOADS OF RANDOM CODE
	15
	16	Please note that npm allows to download and install unverified code
	17	from arbitrary GitHub projects with innocently looking commands. Such
	18	projects can contain arbitrary code, which may turn out to be
	19	malicious. No verification, testing, or approval of such code is done
	20	by NPM administrators, or by FreeBSD maintainers. Such code can allow
	21	attackers to potentially gain control over this, and connected to it
	22	systems.
	23
	24	NPM is not recommended for use on production systems because of the
	25	above security concerns. Please exercise extreme caution if you have
	26	to use npm, or any other packages that use npm.
	27
	28	USE NPM AT YOUR OWN RISK!
	29	======================================================================