Open dapplion opened 2 years ago
This issue should only be closed if we implement something related to the shrinkwrap strategy or if that's abandoned
Update on looking into this.
Trying to create a shrinkwrap file in lodestar-cli
fails with an error similar to this.
npm shrinkwrap
npm ERR! code ENOWORKSPACES
npm ERR! This command does not support workspaces.
npm ERR! A complete log of this run can be found in:
Which is not surprising., given the documentation here mentioned:
Note: This command is unaware of workspaces.
The shrinkwrap can only be generated is from the root of the monorepo, but then the structure is different to what would have been generated if the command was ran specifically for lodestar-cli
. What I will be doing next is to confirm and/or see if the generated shrinkwrap can be modified and moved to lodestar-cli
during ci.
In the meantime, I have a question on StackOverflow about this...but no solution/answer yet...
It would be hard to estimate if your PR for this would be able to make it for the v1.7.0 release. Please consider providing a potential draft PR/solution for review so it's easier to identify whether or not we can include this.
Not a high priority as we've mitigated by documenting to users how they should install Lodestar (not via npm). We should continue investigating a solution here.
Describe the bug
Doing
is unsafe to dependency attacks, since the yarn.lock is not considered for dependency resolution.
Expected behavior
For npm installations, generate a package-lock.json (with https://github.com/imsnif/synp for example) and then generate a shrinkwrap file (see https://docs.npmjs.com/cli/v8/commands/npm-shrinkwrap). The shrinkwrap should take precedence on installation. This generation should happen in CI when publishing.
For yarn installations: investigate
TODO
To reduce the attack surface we should count who many individual authors we rely on and minimize that number and / or ensure we have a sufficient level of confidence towards them.