Hi Pedro, On Wed, October 2, 2013 00:57, Pedro Worcel wrote: > NPM nodejs package manager doesn't check for https signatures comunicating > with the central repo, which could give an attacker with MITM capabilities > the possibility to execute code. > > The issue is here <https://github.com/isaacs/npm/issues/1204>.
Thanks for raising this here. I'm very much in agreement with the submitter that this process should be secure, but can sympathize with upstream who is annoyed by being told what to do and how to manage his issue tracker. But of course, in the end it should be secure. I'm not a node expert, but from the issue it seems that a patch was at least committed two years ago that does some kind of certificate checking. Perhaps best is if you file this as a bug in the Debian BTS, so it can be discussed with the npm maintainers to see how to best approach this. Cheers, Thijs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
