Bug 198653 - www/npm: Add pkg-message to warn users of unverified/unauthenticated downloads
Summary: www/npm: Add pkg-message to warn users of unverified/unauthenticated downloads
Status: Closed Not Accepted
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Po-Chuan Hsieh
Keywords: easy, feature, needs-qa, patch
Depends on:
Reported: 2015-03-17 09:13 UTC by Yuri Victorovich
Modified: 2015-06-15 06:57 UTC (History)
2 users (show)

See Also:
koobs: maintainer-feedback+

patch (2.07 KB, patch)
2015-03-17 09:13 UTC, Yuri Victorovich
koobs: maintainer-approval-
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yuri Victorovich freebsd_committer 2015-03-17 09:13:35 UTC
Created attachment 154447 [details]

NPM doesn't currently support package authentication, therefore subjecting users to the possibility of MITM attacks. For reference see this discussion here https://github.com/node-forward/discussions/issues/29

Additionally, npm allows to download GitHub projects without any verification in direct from developer to user system fashion, see https://docs.npmjs.com/cli/install

Patch adds security advisories as pkg-message
Comment 1 Mark Felder freebsd_committer 2015-03-18 12:45:40 UTC
Seems reasonable to me, but I'll let the port maintainer weigh in.
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-14 09:49:03 UTC
Maintainer timeout. Open to take.
Comment 3 Po-Chuan Hsieh freebsd_committer 2015-06-14 15:03:44 UTC
I do not think it's necessary to add such message.