Op 2 okt. 2013, om 00:57 heeft Pedro Worcel <[email protected]> het volgende geschreven:
> NPM nodejs package manager doesn't check for https signatures comunicating > with the central repo, which could give an attacker with MITM capabilities > the possibility to execute code. > > The issue is here. > > The maintainer considers this to be a bug that is on his "eventually" list. > I'm not quite sure what the actual issue is at this moment. The referenced Github issue is 2 years old. The current version of NPM does appear to check certificates. See config option 'strict-ssl' which is 'true' by default. I also checked the actual code - it *does* check the ssl cert if strict-ssl is true, relying on this library: https://github.com/mikeal/request. Which in turn does appear to do the right things. Rgds, Jeroen
