-
-
Notifications
You must be signed in to change notification settings - Fork 937
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support providing onlyBuiltDependencies list in a separate JSON file #7137
Comments
Here's an idea. The dependencies are built when they are all linked to node_modules. Hence, we could load the {
"pnpm": {
"onlyBuiltDependenciesFile": "./node_modules/@comp/only-built-deps/list.json"
}
} |
Hi @zkochan , This sounds great. One more thought - would it be possible for this to be additive with |
Yes, I think it can be additive. |
@zkochan I'm not sure if I'm missing something. From a security point of view, what's the difference between using the |
Is your question pertaining to whether the concept of If so, there's a few significant differences:
|
@gluxon Yes, that is precisely the question. Thanks for clarifying! While it doesn't address the issue with the node, I understand your point! |
Glad it helped! It's a good question. 🙂 |
🚢 8.9.0 |
Thanks for the quick follow up! |
@Bessonov actually I had the same questions as you and I even tweeted about it. Brandon answered you well. One additional case would be when someone makes a typo in the package name and installs malware. |
@zkochan Thank you! This is indeed a good point too. The only thing I am still concerned about is that when configuring, for example, file system access, we don't specify "dependency x can read folder/file y", but rather, we grant the entire project access to folder/file y, at least in Deno. This certainly limits the attack surface to a significant extent, but it falls short of being a bulletproof solution. On the other hand, I must acknowledge that passing environment variables with access to S3 faces a similar issue. |
Contribution
Describe the user story
As a developer in an enterprise setting, I want to maintain a list of approved dependencies for the onlyBuiltDependencies feature, but this only seems to be supported by a field in package.json. I think this would be fine if the user wants to override the environment, but it would be nice from a security perspective to default all users in an environment to a known list of dependencies that can run scripts.
Let me know if this is already feasible in some form.
Describe the solution you'd like
It would be great if npmrc (or some similar solution that is environment specific) can be given the
onlyBuiltDependencies
config that functions the same as the package.json field, but package.json would take priority if this is set.Describe the drawbacks of your solution
Describe alternatives you've considered
The simpler but more tedious alternative is just informing users in an enterprise environment to update their package.json (or automating this in some way) to use the config.
The text was updated successfully, but these errors were encountered: