ChainSafe / lodestar

🌟 TypeScript Implementation of Ethereum Consensus
https://lodestar.chainsafe.io
Apache License 2.0
1.18k stars 289 forks source link

Safer installation with npm of lodestar-cli #3596

Open dapplion opened 2 years ago

dapplion commented 2 years ago

Describe the bug

Doing

npm lodestar-cli

is unsafe to dependency attacks, since the yarn.lock is not considered for dependency resolution.

Expected behavior

For npm installations, generate a package-lock.json (with https://github.com/imsnif/synp for example) and then generate a shrinkwrap file (see https://docs.npmjs.com/cli/v8/commands/npm-shrinkwrap). The shrinkwrap should take precedence on installation. This generation should happen in CI when publishing.

For yarn installations: investigate

TODO

To reduce the attack surface we should count who many individual authors we rely on and minimize that number and / or ensure we have a sufficient level of confidence towards them.

dapplion commented 2 years ago

This issue should only be closed if we implement something related to the shrinkwrap strategy or if that's abandoned

dadepo commented 2 years ago

Update on looking into this.

Trying to create a shrinkwrap file in lodestar-cli fails with an error similar to this.

npm shrinkwrap
npm ERR! code ENOWORKSPACES
npm ERR! This command does not support workspaces.

npm ERR! A complete log of this run can be found in:

Which is not surprising., given the documentation here mentioned:

Note: This command is unaware of workspaces.

The shrinkwrap can only be generated is from the root of the monorepo, but then the structure is different to what would have been generated if the command was ran specifically for lodestar-cli. What I will be doing next is to confirm and/or see if the generated shrinkwrap can be modified and moved to lodestar-cli during ci.

In the meantime, I have a question on StackOverflow about this...but no solution/answer yet...

philknows commented 1 year ago

It would be hard to estimate if your PR for this would be able to make it for the v1.7.0 release. Please consider providing a potential draft PR/solution for review so it's easier to identify whether or not we can include this.

philknows commented 12 months ago

Not a high priority as we've mitigated by documenting to users how they should install Lodestar (not via npm). We should continue investigating a solution here.