I wonder, do you want to include automatic version updates in the dependency? In that case you have already trust relationship with the package author, as any update could come with new malicious code anyway. If you have already such trust relationship that you trust updates to be OK, I don't see it as any stretch to also trust the package author not to suddendly unpublish their package.
If you do not want to go this update trust relationship with the package author, you'd have to fix to a specific version. In that case the simpler and more effective technique would be to be able to add an expected hashcode of the dependency to your package.json and npm checking if the hashcode of the package matches (wherever it comes from) On Wed, Mar 23, 2016 at 3:39 PM, Chris Hills <c...@chaz6.com> wrote: > As I understand it, a package author can un-publish their package on > npmjs.com, and somebody else can publish a package with the same name. If > I create a package depends on a package from npmjs.org, I have little > protection against a "bait-and-switch" which could result in unwanted, even > malicious code being deployed and run. Other software distribution methods > usually involved signing with a private key to protect against this kind of > behaviour. Is there something I can do today to protect against this > without resorting to have to manually perform an audit every time I > download a package from npmjs.org? > > -- > Job board: http://jobs.nodejs.org/ > New group rules: > https://gist.github.com/othiym23/9886289#file-moderation-policy-md > Old group rules: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to nodejs+unsubscr...@googlegroups.com. > To post to this group, send email to nodejs@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nodejs/e60195a2-e615-4ead-a538-02edb44bf0cd%40googlegroups.com > <https://groups.google.com/d/msgid/nodejs/e60195a2-e615-4ead-a538-02edb44bf0cd%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com. To post to this group, send email to nodejs@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CABg07fvKqCNuV4hYQP1%2BqSFNw8ZPnOPge%2BPTaFVnBivB4-XkCA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
