BasixKOR
commented
1 month ago I think this can be done via Yarn Constraints: https://yarnpkg.com/features/constraints
Open mcandre opened 1 month ago
BasixKOR
commented
1 month ago I think this can be done via Yarn Constraints: https://yarnpkg.com/features/constraints
mcandre
commented
1 month ago Yarn constraints sounds like the ideal way to implement this, for JS projects that use Yarn.
Took the liberty of writing a basic linter (Yarn and pure NPM).
clemyan
commented
1 month ago Constraints cannot check transitive dependencies. A plugin can.
That said, unless you are working in some kind of private ecosystem, you will pretty much always have some unscoped transitive dependencies. For those who are in a private ecosystem, a Yarn plugin would be more appropriate instead of implementing this in the core.
Describe the user story
Non-scoped packages are vulnerable to spoofing attacks, where malicious users create fake packages with visually similar names to popular packages.
Describe the solution you'd like
Warn on the presence of non-scoped packages, including runtime dependencies, dev dependencies, and transitive dependencies.
Describe the drawbacks of your solution
Some users may be confused. Worth citing the official NPM documentation about scoped packages in warning messages, in order to reduce confusion:
https://docs.npmjs.com/cli/v9/using-npm/scope
Describe alternatives you've considered
Initially looked into eslint, but that project has a rather narrow view that considers only ECMAScript syntax, not the overall security posture of a Yarn/NPM project.