Open EdOverflow opened 6 years ago
Just to back up @EdOverflow's report here -- this is a real issue, and could lead people and teams to burn cycles chasing down security vulnerabilities via unregistered packages that don't exist.
My government agency takes unregistered package vulnerabilities very seriously, and spent some time chasing this issue down this morning so that we could protect any users of our open source code, but it turned out to be a display bug in the npm website.
Properly describing git-based dependencies would help focus security efforts where they are most needed.
Link to the page
https://www.npmjs.com/package/fec-style
Logged in or logged out?
Both work
Expected behavior
The dependencies tab should refer to the GitHub repository as defined in
fec-style
's package.json file.Actual behavior
The
accessible-mega-menu
dependency infec-style
refers to my package on npmjs.org (https://www.npmjs.com/package/accessible-mega-menu), but in reality the package.json file points to a completely unrelated project.npmjs.org appears to always assume that a dependency is on the NPM registry.
Steps to reproduce the problem
You should see a 404 page pop up and you can create a completely unrelated module with the same name. If you do create a package with the same name as the random dependency, npmjs.org will assume that this is in fact the dependency of the original package we published and not the GitHub repository. Please note, that during the installation process you still install everything according to the package.json file, this is simply an issue in the way that npmjs.org links to the dependency.
Browser with version
Firefox Developer Edition 62.0b2 (64-bit)