search

michael-spengler / decentralized-finance

Distributed Ledger based Banking Features: Payments, Deposits, Loans and Automated investment Patterns
MIT License
39 stars 5 forks source link

Educate node project beginners around general potential weak spots #2

Closed michael-spengler closed 3 years ago

michael-spengler commented 3 years ago

There is a general challenge in all node projects which can be summarized by the image below.

The image reveals the general possibility that any dependency of a dependency of a dependency ... could theoretically leverage the postinstall option to introduce questionable actions which would be triggered by someone just calling npm i.

As this package is a.o. used to manage financial assets, it seems worthwhile to refer to this issue in the security section of the README.md file and in the Security.md file.

stop-the-virus

Solution: To be on the safe side even if a dependency of a dependency of a dependency .... tries to exploit the postinstall weak spot:

npm config set ignore-scripts true
npm install
npm config set ignore-scripts false
michael-spengler commented 3 years ago

just added the corresponding links to README.md --> Security Policy.