Our project policy has for some time been to only permit exact versions to appear in project dependencies
listed in package.json - this is at odds with most industry recommendations, and also the action of several
automated tools, to allow open semver ranges of the form "~3.7.1".
As it turns out, yesterday a virus was distributed exploiting exactly this facility - written up at
https://github.com/eslint/eslint-scope/issues/39 , this involved compromise of the npm credentials of the
maintainer of a widely used package for linting to upload a corrupt version to the package registry with
only a minor version update. This is not a package that we used, but it is one that we might have used quite
easily, and had our policy not been in place we would have been exposed to the exploit (which in this case
was a rather clumsy and harmless one, but you never know).
Our code review policies ensure that only fixed versions of the form "3.7.1" appear in our dependencies, so
do be vigilant to ensure any ranges don't slip through. Note that problems of this kind could affect
non-runtime dependencies such as devDependencies used for linting tasks of this kind.
Cheers,
Antranig.
_______________________________________________
Architecture mailing list
Architecture@lists.gpii.net
https://lists.gpii.net/mailman/listinfo/architecture
