Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reverse option of neverBuiltDependencies #4001

Closed
1 task done
Jack-Works opened this issue Nov 17, 2021 · 4 comments · Fixed by #4014
Closed
1 task done

Reverse option of neverBuiltDependencies #4001

Jack-Works opened this issue Nov 17, 2021 · 4 comments · Fixed by #4014
Labels
type: feature
Milestone
v6.32

Comments

@Jack-Works
Copy link
Member

Describe the user story

There should be an onlyBuiltDependencies option. Only allows some scripts makes the install safer.

Describe the solution you'd like

Add an onlyBuiltDependencies like neverBuiltDependencies
This was referenced Nov 17, 2021
Closed
Closed
@zkochan
Copy link
Member

zkochan commented Nov 20, 2021

This doesn't make it completely secure to be honest. Let's say you add fsevents to onlyBuiltDependencies. Then someone breaks package foo and adds fsevents to its dependencies. But the fsevents in the dependencies will be a githosted dependency or a dependency from a different registry. fsevents will be executed because the name is right.

@Jack-Works
Copy link
Member Author

This doesn't make it completely secure to be honest. Let's say you add fsevents to onlyBuiltDependencies. Then someone breaks package foo and adds fsevents to its dependencies. But the fsevents in the dependencies will be a githosted dependency or a dependency from a different registry. fsevents will be executed because the name is right.

Yes. I agree, this case is interesting and completely makes it unsafe.

@bentobox19 @kumavis @v-gjy @EtDu how do you think?

If I allowed fsevents to run post-install scripts, an evil dependency can declare it depends on a fake fsevents that installed from "git://" or .tar.gz and make this limit completely useless.

Maybe we also should limit the install source (only install from approved registry/git URL/HTTPs URL)?

@zkochan zkochan mentioned this issue Nov 20, 2021
Merged
@Jack-Works Jack-Works mentioned this issue Nov 21, 2021
Merged
@Jack-Works
Copy link
Member Author

🤔 Thanks to .pnpmfile.cjs I can write my own approve list for an unusual installation source.

https://github.com/DimensionDev/Maskbook/pull/4867/files

I think this + neverBuiltDependencies can solve the problem.

zkochan pushed a commit that referenced this issue Feb 17, 2022
@Jack-Works @zkochan
feat: support onlyBuiltDependencies
f9bc2e6 
close #4001
zkochan pushed a commit that referenced this issue Feb 17, 2022
@Jack-Works @zkochan
feat: support onlyBuiltDependencies
57792ee 
close #4001
zkochan pushed a commit that referenced this issue Feb 17, 2022
@Jack-Works @zkochan
feat: support onlyBuiltDependencies
61e5c5b 
close #4001
zkochan added a commit that referenced this issue Feb 17, 2022
@zkochan @Jack-Works
feat: onlyBuiltDependencies (#4014)
5d2b5ee 
close #4001

Co-authored-by: Jack Works <jackworks@protonmail.com>
zkochan added a commit that referenced this issue Feb 21, 2022
@zkochan @Jack-Works
feat: onlyBuiltDependencies (#4014)
b138d04 
close #4001

Co-authored-by: Jack Works <jackworks@protonmail.com>
@zkochan zkochan added this to the v6.32 milestone Feb 22, 2022
@Jack-Works
Copy link
Member Author

If I allowed fsevents to run post-install scripts, an evil dependency can declare it depends on a fake fsevents that installed from "git://" or a .tar.gz file and make this limit completely useless.

Having a new thought on this problem, what about we limit the package name like this?

"onlyBuiltDependencies": ["npm:fsevents"]

It will only run the build command if the package is made "fsevents" and it is installed directly from npm in form of "fsevents": "1.2.3".

"fsevents": "npm:my-evil-package@1.2.3" or "fsevents": "https://github.com/..." does not match the onlyBuiltDependencies rule.

@Jack-Works Jack-Works mentioned this issue Nov 10, 2022
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature
Projects
None yet
Milestone
v6.32
Development

Successfully merging a pull request may close this issue.

feat: onlyBuiltDependencies pnpm/pnpm
feat: support onlyBuiltDependencies
2 participants
@zkochan @Jack-Works