Open emanuelb opened 4 years ago
2 new related issues for new results below:
detected invalid host(s) for package: react-native-bluetooth-state-manager@https://github.com/greenyossi/react-native-bluetooth-state-manager.git
expected: registry.yarnpkg.com
actual: github.com
detected invalid host(s) for package: rn-contact-tracing@https://github.com/MohGovIL/rn-contact-tracing.git#IOS_battery_opt
expected: registry.yarnpkg.com
actual: github.com
It's easy to attack the yarn.lock file with typo squat attack (accepting malicious PR which look legit) see: https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
to defend against it use tool like lockfile-lint in CI enviroment https://github.com/lirantal/lockfile-lint
for example to allow only yarn registry (registry.yarnpkg.com) over https, run:
npx lockfile-lint --path yarn.lock --allowed-hosts yarn --validate-https
Result:
first result need to be fixed by https://github.com/MohGovIL/hamagen-react-native/issues/199 second result need to be fixed by https://github.com/MohGovIL/hamagen-react-native/issues/158 third result need to be fixed by https://github.com/MohGovIL/hamagen-react-native/issues/198