ip1981
commented
2 years ago At least a specially crafted package-lock.json file and probably package.json with dependencies.
Maybe it's possible (https://github.com/ip1981/npm.nix/commit/c1c6ddc2e3fc0d3a183507c6a08ae98d240738ee should help experimenting):
(Thu, 11 Nov 2021 12:25:58 +0200)
[pashev@life:~/tmp/npm]
# cat package.json
{
"name": "cor-convert",
"description": "Plain color conversion functions",
"version": "2.0.1",
"author": "Heather Arthur <fayearthur@gmail.com>",
"license": "MIT",
"repository": "Qix-/color-convert",
"files": [
"index.js",
"conversions.js",
"route.js"
],
"dependencies": {
"color-name": "file:/nix/store/2k0qqdcf64mdv80hnnakpxrvkjwi99fr-nodejs-14.17.3-color-name-1.1.4"
}
}
(Thu, 11 Nov 2021 12:26:06 +0200)
[pashev@life:~/tmp/npm]
# rm -rf node_modules/
(Thu, 11 Nov 2021 12:26:28 +0200)
[pashev@life:~/tmp/npm]
# /nix/store/vx4kv0wl3n4xk5cq6l9ilvmhmvqz1fp9-nodejs-14.17.3/bin/npm i
added 1 package from 1 contributor and audited 1 package in 0.951s
found 0 vulnerabilities
(Thu, 11 Nov 2021 12:26:32 +0200)
[pashev@life:~/tmp/npm]
# find -ls
16326662 4 drwxr-xr-x 3 pashev pashev 4096 nov 11 12:26 .
16259526 4 -rw-r--r-- 1 pashev pashev 256 nov 11 12:26 ./package-lock.json
16259621 4 -r--r--r-- 1 pashev pashev 411 nov 11 12:23 ./package.json
16326663 4 drwxr-xr-x 2 pashev pashev 4096 nov 11 12:26 ./node_modules
16256609 4 lrwxrwxrwx 1 pashev pashev 89 nov 11 12:26 ./node_modules/color-name -> ../../../../../nix/store/2k0qqdcf64mdv80hnnakpxrvkjwi99fr-nodejs-14.17.3-color-name-1.1.4
(Thu, 11 Nov 2021 12:26:37 +0200)
[pashev@life:~/tmp/npm]
# /nix/store/vx4kv0wl3n4xk5cq6l9ilvmhmvqz1fp9-nodejs-14.17.3/bin/npm audit
=== npm audit security report ===
found 0 vulnerabilities
in 1 scanned package
what would have to happen to run
npm auditinside the nix sandbox?