Zed downloads NodeJS binary and npm packages from Internet without user’s consent

[jirutka]

Check for existing issues

• [X] Completed

Describe the bug / provide steps to reproduce it

I noticed that Zed automatically downloads the NodeJS binary from https://nodejs.org without asking or even informing the user about it. Right after starting it and opening a file, without doing anything else. And there’s no option to disable it.

This is completely unacceptable!

Not just for security reasons but also from a usability point of view. I’m currently connected via metered LTE, and Zed has just eaten up 14 MiB of my plan. Moreover, I already have node installed and on PATH. Also, the downloaded binary is somehow corrupted and it wouldn’t work on my system anyway because it’s built against glibc (that’s how I noticed it in the first place).

And to make matters worse, if it did work, it would start installing arbitrary packages from npmjs.com via npm and running their scripts. This represents a huge attack vector.

This approach is completely unacceptable for anyone who’s concerned about cybersecurity and for virtually all companies, at least in the EU, because of cybersecurity laws, related certifications and audits.

EDIT: Now I found that it downloads (here) even some proprietary binary from https://supermaven.com, i.e. unaudited and unauditable code, without any verification (except TLS)! At least this is not downloaded by default… I hope…

EDIT2: Zed also automatically downloads and executes prebuilt language servers for C#, Clojure, Deno, Elixir, Gleam, GLSL, Lua, Terraform, Toml and Zig. It automatically resolves the latest version available on GitHub and downloads it, again, without any verification.

Environment

N/A

If applicable, add mockups / screenshots to help explain present your vision of the feature

No response

If applicable, attach your ~/Library/Logs/Zed/Zed.log file to this issue.

No response

Somehow related issues

• 12358

• 12354

• 12703

[asesh]

I agree with you, it can cause severe security issues. It will also download unsigned executable files and run them w/o any consent or permission. That's why I have language server disabled. You can disable this feature though: https://zed.dev/docs/configuring-zed

[vielmetti]

Some of this is previously discussed in #7054 , specifically https://github.com/zed-industries/zed/issues/7054#issuecomment-1916315391 in which @SomeoneToIgnore writes

"We do not have plans to abandon this approach since there's so much code written to support various frontend tools already, that rewriting those in Rust will take an eternity, so not sure what is actionable here, hence closing."

[jirutka]

That's why I have language server disabled. You can disable this feature though: https://zed.dev/docs/configuring-zed

Language servers are very useful. I don’t see an option to disable the automatic fetching of dependencies from the internet without disabling the language servers completely.

[jirutka]

"We do not have plans to abandon this approach since there's so much code written to support various frontend tools already, that rewriting those in Rust will take an eternity, so not sure what is actionable here, hence closing."

This is a false dichotomy. Nobody is asking to rewrite everything in Rust and bundle it into the application (on the contrary, I’d ask the opposite). Node.js is a normal system dependency that should be installed by the system’s package manager, or manually (if there’s no package manager in place). And that’s what I did for the Alpine Linux package, but I had to patch the Zed sources to do it.

[someone13574]

Maybe a popup, which is enabled by default, could ask for permission to download some-binary from some-link? It wouldn't mitigate the fact that its downloading a binary, but it would at least give the user an option to see whats getting downloaded beforehand and see that its from somewhere official. Then in settings there could be three options for download_permission or something:

• ask: The default setting. Asks the user for permission to download a file.
• always: The current behavior. Just download without asking.
• never: Never download any files. May break extensions and isn't recommended (but available for users who don't have a glibc system, really value security, or any other reason).

[asesh]

That's why I have language server disabled. You can disable this feature though: https://zed.dev/docs/configuring-zed

Language servers are very useful. I don’t see an option to disable the automatic fetching of dependencies from the internet without disabling the language servers completely.

They are useful but I would rather keep my machine safe than ran arbitrary executables and scripts. That's why I have it disabled. This is a really weird and insecure feature of Zed!!

[someone13574]

Ideally you would be able to turn off auto-download but still be able to use an lsp if it’s already on the users system.

[crabdancing]

Yeah, this issue really turned me off using Zed until it's fixed. :/

It tried to run them and then hilariously couldn't because I'm on a NixOS system:

[2024-06-16T12:55:07-06:00 ERROR project] failed to start language server "json-language-server": failed to execute npm info subcommand:
stdout: ""
stderr: "Could not start dynamically linked executable: /home/ada/.local/share/zed/node/node-v18.15.0-linux-x64/bin/node\nNixOS cannot run dynamically linked executables intended for generic\nlinux environments out of the box. For more information, see:\nhttps://nix.dev/permalink/stub-ld\n"

Frankly, not having the ability to configure it to just use what's in my environment (which I have already audited), or specific paths that I give it, is a dealbreaker. I much prefer Helix's simpler approach to this of just telling you what it has access to and what it doesn't, and letting you override the things it's trying to use.

[vinicius507]

Yeah, this issue really turned me off using Zed until it's fixed. :/

It tried to run them and then hilariously couldn't because I'm on a NixOS system:

[2024-06-16T12:55:07-06:00 ERROR project] failed to start language server "json-language-server": failed to execute npm info subcommand:
stdout: ""
stderr: "Could not start dynamically linked executable: /home/ada/.local/share/zed/node/node-v18.15.0-linux-x64/bin/node\nNixOS cannot run dynamically linked executables intended for generic\nlinux environments out of the box. For more information, see:\nhttps://nix.dev/permalink/stub-ld\n"

Frankly, not having the ability to configure it to just use what's in my environment (which I have already audited), or specific paths that I give it, is a dealbreaker. I much prefer Helix's simpler approach to this of just telling you what it has access to and what it doesn't, and letting you override the things it's trying to use.

Yes, on NixOS and I had to wrap Zed in a FHS environment so I could use the LSPs. Not the best experience imo.