static safety-check for npm package.


(Leo Yin) #1

Given the recent incidence regarding eslint-scope, it is pretty obvious and necessary to me that certain security measure must be added to npm.

A very simple idea would be to mark all npm packages that uses network access, and provide warning to user if the previous version of packages does not require that access.

The implementation should be fairly straight-forward by analyzing existing npm dependency graphql, and check for the use of certain broswer globals and node network packages. The nature of such problems makes it necessary for it to be done within the npm package and/or repository.

Given the way how malicious software works, it is most sensitive to most people if their private data got stolen, given that it can not be undone.


Sandboxing npm packages
(Lars Willighagen) #2

I think this would be very difficult, given the dynamic nature of JS. To access the net you only need the built-in Node.js http module (which wouldn’t show up in the dependency graph), and checking the code for what packages are used is basically impossible without executing the code. For example, instead of

let http = require('http')

on might say

let http = require('ht' + 'tp')

or

let h = process.hrtime.name[0]
let t = process.uptime.name[2]
let p = process.uptime.name[1]

let http = require(h + t + t + p)