Line 0
Link Here
|
|
|
1 |
====================================================================== |
2 |
You have installed NPM, Node Package Manager. |
3 |
|
4 |
** SECURITY ADVISORY: INSTALLED PACKAGES AUTHENTICITY NOT VERIFIED ** |
5 |
|
6 |
Please note that npm downloads packages from https://npmjs.com server |
7 |
without verifying their authenticity. This makes your system |
8 |
vulnerable to the MITM (man-in-the-middle) attacks. Attackers can |
9 |
potentially impersonate https://npmjs.com server, and transparently |
10 |
substitute legitimate packages with malicious ones. Npm running on |
11 |
this system will not be able to detect such situation, and attackers |
12 |
can potentially gain control over this, and connected to it systems. |
13 |
|
14 |
** SECURITY ADVISORY: NPM ALLOWS SEAMLESS DOWNLOADS OF RANDOM CODE ** |
15 |
|
16 |
Please note that npm allows to download and install unverified code |
17 |
from arbitrary GitHub projects with innocently looking commands. Such |
18 |
projects can contain arbitrary code, which may turn out to be |
19 |
malicious. No verification, testing, or approval of such code is done |
20 |
by NPM administrators, or by FreeBSD maintainers. Such code can allow |
21 |
attackers to potentially gain control over this, and connected to it |
22 |
systems. |
23 |
|
24 |
NPM is not recommended for use on production systems because of the |
25 |
above security concerns. Please exercise extreme caution if you have |
26 |
to use npm, or any other packages that use npm. |
27 |
|
28 |
USE NPM AT YOUR OWN RISK! |
29 |
====================================================================== |