Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safer installation with npm of lodestar-cli #3596

Open
dapplion opened this issue Jan 9, 2022 · 6 comments · Fixed by #4115
Open

Safer installation with npm of lodestar-cli #3596

dapplion opened this issue Jan 9, 2022 · 6 comments · Fixed by #4115
Labels
good first issue Issues that are suitable for first-time contributors. help wanted The author indicates that additional help is wanted. meta-investigate Issues found that require further investigation and may not have a specific resolution/fix prio-medium Resolve this some time soon (tm). scope-security Issues that fix security issues: DOS, key leak, CVEs.

Comments

@dapplion
Copy link
Contributor

dapplion commented Jan 9, 2022
edited
Loading

Describe the bug

Doing

npm lodestar-cli

is unsafe to dependency attacks, since the yarn.lock is not considered for dependency resolution.

Expected behavior

For npm installations, generate a package-lock.json (with https://github.com/imsnif/synp for example) and then generate a shrinkwrap file (see https://docs.npmjs.com/cli/v8/commands/npm-shrinkwrap). The shrinkwrap should take precedence on installation. This generation should happen in CI when publishing.

For yarn installations: investigate

TODO

To reduce the attack surface we should count who many individual authors we rely on and minimize that number and / or ensure we have a sufficient level of confidence towards them.
@dapplion dapplion added the prio-high Resolve issues as soon as possible. label Jan 9, 2022
@dadepo dadepo self-assigned this Mar 22, 2022
@dapplion dapplion added the scope-security Issues that fix security issues: DOS, key leak, CVEs. label May 10, 2022
@dapplion dapplion mentioned this issue Jun 3, 2022
Closed
2 tasks
@philknows philknows mentioned this issue Jun 4, 2022
Merged
@dapplion dapplion reopened this Jun 7, 2022
@dapplion
Copy link
Contributor Author

dapplion commented Jun 7, 2022

This issue should only be closed if we implement something related to the shrinkwrap strategy or if that's abandoned

@dadepo
Copy link
Contributor

dadepo commented Jun 8, 2022

Update on looking into this.

Trying to create a shrinkwrap file in lodestar-cli fails with an error similar to this.

npm shrinkwrap
npm ERR! code ENOWORKSPACES
npm ERR! This command does not support workspaces.

npm ERR! A complete log of this run can be found in:

Which is not surprising., given the documentation here mentioned:

Note: This command is unaware of workspaces.

The shrinkwrap can only be generated is from the root of the monorepo, but then the structure is different to what would have been generated if the command was ran specifically for lodestar-cli. What I will be doing next is to confirm and/or see if the generated shrinkwrap can be modified and moved to lodestar-cli during ci.

In the meantime, I have a question on StackOverflow about this...but no solution/answer yet...

@dapplion dapplion mentioned this issue Aug 3, 2022
Merged
@philknows
Copy link
Member

It would be hard to estimate if your PR for this would be able to make it for the v1.7.0 release. Please consider providing a potential draft PR/solution for review so it's easier to identify whether or not we can include this.

@philknows philknows mentioned this issue Apr 28, 2023
Open
@philknows philknows added prio-medium Resolve this some time soon (tm). meta-investigate Issues found that require further investigation and may not have a specific resolution/fix and removed prio-high Resolve issues as soon as possible. labels Nov 5, 2023
@philknows
Copy link
Member

Not a high priority as we've mitigated by documenting to users how they should install Lodestar (not via npm). We should continue investigating a solution here.

@wemeetagain wemeetagain mentioned this issue Dec 12, 2023
Merged
@philknows philknows added good first issue Issues that are suitable for first-time contributors. help wanted The author indicates that additional help is wanted. labels Oct 10, 2024
@krzysu
Copy link

krzysu commented Dec 13, 2024

Have you considered using Deno as the execution environment and JSR as the package manager? JSR claims to be (source)

Secure, token-less publishing for resistance against supply chain attacks

Here are some resources for more details:
https://deno.com/
https://jsr.io/docs/with/deno

I’m not very experienced with them; it’s just an idea.

@nflaig
Copy link
Member

nflaig commented Dec 13, 2024

Have you considered using Deno as the execution environment and JSR as the package manager? JSR claims to be (source)

Secure, token-less publishing for resistance against supply chain attacks

Here are some resources for more details: https://deno.com/ https://jsr.io/docs/with/deno

I’m not very experienced with them; it’s just an idea.

yes, we are already exploring publishing packages to JSR cc @nazarhussain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Issues that are suitable for first-time contributors. help wanted The author indicates that additional help is wanted. meta-investigate Issues found that require further investigation and may not have a specific resolution/fix prio-medium Resolve this some time soon (tm). scope-security Issues that fix security issues: DOS, key leak, CVEs.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove NPM instructions and add disclaimer ChainSafe/lodestar
5 participants
@dadepo @krzysu @dapplion @nflaig @philknows