![]() ![]() The ecosystem is currently under the incorrect assumption that the manifest always contains the contents of the tarball's package.json Clarke's suggestion is that since then, npm registry code hasn't received as much attention as it might have otherwise. The Register understands that the npm Public Registry hasn't been fully open source since early 2014, about four years after its initial release. "I also think the initial reason this came to pass was because npm, in its infancy, had both the client and registry open sourced." ![]() "Many consumers don't interact directly with the registry interface so they only know what the developer tools/package managers say about the published packages," he explained. While this wasn't a security issue, it could have been.Īsked whether lack of resources for npm development under GitHub led to this state of affairs, Clarke told The Register that while he believes GitHub underinvested in npm, "I think this issue actually went unnoticed for so long because of the horrible lack of up-to-date registry documentation." ![]() The problem came up in a bug report last year, though we have no doubt others spotted it earlier.Īccording to that report, the published package declared an install script but the attached tarball of files included a package.json file without an install script. Here's how that worked for software security scanner Socket
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |