Make the installer stable
GrosSacASac opened this issue · 2 comments
I read https://harry.garrood.me/blog/malicious-code-in-purescript-npm-installer/
Your installer is still vulnerable. The simplest solution is to use a shrinkwrap file
npm shrinkwrap
It will freeze dependencies including deep dependencies.
5 July, around 2100 UTC: load-from-cwd-or-npm@3.0.2 is published, with an exploit breaking the purescript npm installer
Locking dependencies will make sure that your software will not change whenever someone updates another package without opt in.
The compiler maintainers investigate, and for a while, we are stumped. It’s difficult to reliably reproduce, as the failure doesn’t occur in a local checkout of the purescript npm installer.
My hypothesis is that you used package-lock instead of shrink-wrap. So you had frozen dependencies when installing locally, but when purescript npm installer was installed it was not the case.
Thanks. I understand the issue with shrinkwrapping (or not), but I think in practice it's sufficient to look at the maintainers of the dependencies you're using, which I have now done.
What happens when those maintainers switch package ownership, which will eventually happen, for example if they get paid to sell their packages, or give as heritage ?
Trust-less dependencies is possible.