Inquiry Regarding Supply Chain Risks Associated with the Muhammara Library

[0xrisec]

Dear,

I am writing to seek clarification and gain a better understanding of the supply chain risks associated with the Muhammara library listed on socket.dev. Your insights on the purpose of these components within the library would be greatly appreciated.

Specifically, I have identified two aspects that I would like to inquire about:

1. Network Access: I noticed that Muhammara utilizes several dependencies such as @mapbox/node-pre-gyp, node-fetch and https-proxy-agent which are related to network access. Could you kindly elaborate on the purpose of these components within the library?

2. Shell Access: Muhammara also employs dependencies like @mapbox/node-pre-gyp and detect-libc that pertain to shell access. Could you please provide some insight into the necessity of these dependencies?

I genuinely appreciate your time and assistance in clarifying these matters. Your expertise will aid in our decision-making process and help us ensure the security and reliability of our supply chain.

Thank you in advance for your prompt response.

[julianhille]

Muhammara is build in c++ and so as a native module. This means every system needs to compile the native module according to it's architecture, node version and its mainly used c lib (glibc musl). To remove the dependencies to build systems setup and reduce install time (by about 3 to 5 minutes) I provide pre built binaries (see releases and see GitHub action runners) for a huge amount of these matrix combinations. Node-pre-gyp makes a shell call to determine which c lib is used and which architecture is installing nuhammara after that a network access to GitHub releases is made to download this combination of arch node and clib.

[julianhille]

There are options to circumvent this and always build from source if you don't trust the pre builts, but this leads to use node-gyp which also executes shell commands to invoke your compiler