FreeBSD Bugzilla – Attachment 154447 Details for
Bug 198653
www/npm: Add pkg-message to warn users of unverified/unauthenticated downloads
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
www-npm-security-advisory.patch (text/plain), 2.07 KB, created by
Yuri Victorovich
on 2015-03-17 09:13:35 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Yuri Victorovich
Created:
2015-03-17 09:13:35 UTC
Size:
2.07 KB
patch
obsolete
>diff -Nru www/npm/Makefile www/npm/Makefile >--- www/npm/Makefile 2015-03-17 02:02:01.812860000 -0700 >+++ www/npm/Makefile 2015-03-17 02:01:59.976225000 -0700 >@@ -3,6 +3,7 @@ > > PORTNAME= npm > PORTVERSION= 2.7.0 >+PORTREVISION= 1 > CATEGORIES= www > MASTER_SITES= LOCAL/sunpoet > >@@ -11,6 +12,8 @@ > > LICENSE= MIT > >+SUB_FILES= pkg-message >+ > OPTIONS_SINGLE= BACKEND > OPTIONS_SINGLE_BACKEND= IOJS NODE NODE_DEVEL NODE010 > OPTIONS_DEFAULT=NODE >diff -Nru www/npm/files/pkg-message.in www/npm/files/pkg-message.in >--- www/npm/files/pkg-message.in 1969-12-31 16:00:00.000000000 -0800 >+++ www/npm/files/pkg-message.in 2015-03-17 01:55:47.066849000 -0700 >@@ -0,0 +1,29 @@ >+====================================================================== >+You have installed NPM, Node Package Manager. >+ >+** SECURITY ADVISORY: INSTALLED PACKAGES AUTHENTICITY NOT VERIFIED ** >+ >+Please note that npm downloads packages from https://npmjs.com server >+without verifying their authenticity. This makes your system >+vulnerable to the MITM (man-in-the-middle) attacks. Attackers can >+potentially impersonate https://npmjs.com server, and transparently >+substitute legitimate packages with malicious ones. Npm running on >+this system will not be able to detect such situation, and attackers >+can potentially gain control over this, and connected to it systems. >+ >+** SECURITY ADVISORY: NPM ALLOWS SEAMLESS DOWNLOADS OF RANDOM CODE ** >+ >+Please note that npm allows to download and install unverified code >+from arbitrary GitHub projects with innocently looking commands. Such >+projects can contain arbitrary code, which may turn out to be >+malicious. No verification, testing, or approval of such code is done >+by NPM administrators, or by FreeBSD maintainers. Such code can allow >+attackers to potentially gain control over this, and connected to it >+systems. >+ >+NPM is not recommended for use on production systems because of the >+above security concerns. Please exercise extreme caution if you have >+to use npm, or any other packages that use npm. >+ >+USE NPM AT YOUR OWN RISK! >+======================================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=154447">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
koobs
:
maintainer-approval-
Actions:
View
|
Diff
Attachments on
bug 198653
: 154447