Open
Description
- I'd be willing to implement this feature (contributing guide)
Describe the user story
We need some solution from lockfile injection attack.
(It also could be a huge selling point for pnpm.)
Describe the solution you'd like
- We can have an allow-list of hosts and some simple checks that URL is valid to package name and version.
- During install, we can check every record with this simple checks (is it
npmjs.comURL? Does package name and version match URL?) - If we have a non-standard URL, we run a more slow check, that URL is the real result of
package.json. For instance, ifpackage.jsonhas non-standard package with full URL in version. - Additionally, we can add option to define allow-list of domains (and maybe enable it in next major).
Describe the drawbacks of your solution
It could affect performance. But this two-check way should not create any problems for most of use cases (where we have packages from npm).
Describe alternatives you've considered
We can define allow-list of domains, but it will not fix the problem. We can publish is-nummber-bad and replace is-number’s URL in lockfile to is-nummber-bad URL.