search

npm / www

community space for the npm website
https://npm.community
69 stars 48 forks source link

npmjs.org always assumes that all dependencies are on npmjs.org and ends up linking to unrelated packages. #448

Open EdOverflow opened 6 years ago

EdOverflow commented 6 years ago

Link to the page

https://www.npmjs.com/package/fec-style

Logged in or logged out?

Both work

Expected behavior

The dependencies tab should refer to the GitHub repository as defined in fec-style's package.json file.

Actual behavior

The accessible-mega-menu dependency in fec-style refers to my package on npmjs.org (https://www.npmjs.com/package/accessible-mega-menu), but in reality the package.json file points to a completely unrelated project.

$ npm view fec-style dependencies | head -2

{ 'accessible-mega-menu': 'git+https://github.com/noahmanger/Accessible-Mega-Menu.git',

npmjs.org appears to always assume that a dependency is on the NPM registry.

Steps to reproduce the problem

  1. Create a new Node module;
  2. In the package.json file, set some random dependency that is not on npmjs.org and link to a GitHub repository;
  3. Publish the package to npmjs.org.
  4. Navigate to the "Dependencies" tab of your newly-created Node module;
  5. Click on the random dependency.

You should see a 404 page pop up and you can create a completely unrelated module with the same name. If you do create a package with the same name as the random dependency, npmjs.org will assume that this is in fact the dependency of the original package we published and not the GitHub repository. Please note, that during the installation process you still install everything according to the package.json file, this is simply an issue in the way that npmjs.org links to the dependency.

Browser with version

Firefox Developer Edition 62.0b2 (64-bit)

konklone commented 6 years ago

Just to back up @EdOverflow's report here -- this is a real issue, and could lead people and teams to burn cycles chasing down security vulnerabilities via unregistered packages that don't exist.

My government agency takes unregistered package vulnerabilities very seriously, and spent some time chasing this issue down this morning so that we could protect any users of our open source code, but it turned out to be a display bug in the npm website.

Properly describing git-based dependencies would help focus security efforts where they are most needed.