Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve shrinkwrap security by default by using always SHA512 hashes #536

Closed
evilaliv3 opened this issue Nov 28, 2019 · 1 comment
Closed

Comments

@evilaliv3
Copy link

Current behaviour of NPM is to perform a shrinkwrap by using the archived SHA hash stored on the registry at the time of publishing.

This causes a well known behaviour where only packages published using NPM benefits of hashes of type SHA512, while older packages published before continue have only an hash of type SHA1 known to not be resilient about collisions.

This poses severe possible server securiy issues on crytical projects using dependencies published on NPM.

This ticket is to propose the reception of on of the following changes:

  • Extend the registry to automatically perform re-hashing of the existing published packages including an hash of type sha512
  • extend the shrinkwrap utility with the possibility to perform an online hashing of the dependencies directly while performing the shrinkwrap process and so following a Trust on First Use approach (TOFU).

References:
https://npm.community/t/sha1-vs-sha512-integrity/3416
https://medium.com/@ldong/stupid-sha-checksum-changes-in-npm-5-4bcb93f40791

Ticket proposal idea defined while working on the GlobaLeaks project.

@evilaliv3
Copy link
Author

@zkat: As from what i read you have well analyzed this problem in many situations would you please advise on the best thing to do?

I'm also considering crating a package (maybe a grunt plugin) just for fixing the shrinkwrap implementing a trust on first use approach, but i wonder if other projects has followed different approaches.

thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants