Use the release shasum provided by NPM validate packages downloaded before attempting to use them to guard against potential MITM attack if package is compromised. Also helps ensure NPM returns what’s expected in cases where they don’t 404 on invalid packages (which they’re currently not doing properly). As an added bonus, see if there’s a way to also validate against the official git release archives.
Stepping towards validation After Dark now cloaks itself upon install and asks users to enter a key to continue as shown in the attached.
npm pack yadda yadda grep integrity appears to be what I’m looking for.
Almost got it working. The approach is going to drop the sha512 digests produced by NPM into the message of the git release tag so validations may be checked using:
And compared against:
At that point someone would likely need to crack SHA-512 to tamper with a release and an audit trail will be available to find out when it happened if it ever happens.
Users may then be notified their site may be compromised if anything doesn’t check out.
Starting with 6.6.4 release tags now include both the SHA-512 digest produced by the corresponding release served by NPM and are PGP signed.
For convenience in validating the codebase a new npm script called integrity has been provided which may be used to validate any given release going forward and will also be the exact same value used to access online help for any given release.
See attached images for examples of this in action.
Effectively closed with release 6.6.4. Some documentation would be nice but I’d like to get more feedback from NPM community and created the following idea as a result: https://npm.community/t/validating-npm-package-integrity-via-cli-commands/1691
No due date set.
This issue currently doesn't have any dependencies.
Deleting a branch is permanent. It CANNOT be undone. Continue?