RC npm: lockfiles or no lockfiles #24
Comments
It might be good to add "developers' machines" to the first list. They can be a target in addition to the listed production/CD environments (think crypto-wallets, or any other private file on your machine). I think this is a good reason to suggest that all repositories commit a lock file. You wouldn't want a project developer's machine being at risk with the initial clone and npm-install of a repository. You want the "at risk" time to be when you are intentionally updating dependencies. I agree that a test without a lockfile for libraries is useful to replicate the downstream consumer's experience, as long as it is in a "sealed" environment, like those in the last list. |
It would already be at risk even with a lockfile, if the lockfile contains the malicious code. A lockfile’s purpose isn’t to prevent malicious packages, it’s to make installs deterministic/reproducible (which does help prevent malicious code, ofc). I think it is a very unwise recommendation that all developer machines use lockfiles. |
Not entirely sure if me and Jordan are at odds in our opinions (which is fine :-)), but I'm making the following observations:
|
Thanks. So we could say that in general, a lockfile should be used to protect maintainers/collaborators as well. To accommodate @ljharb's use case of "exercising a wide range of version dependencies" during tests, we can then say that "non-privileged" CI runs (
Wdut?
which Wdut? |
I agree with the leeway described where the lockfile is ignored in a non-privileged environment. This however still leaves users vulnerable to malicious packages (such as node-ipc, colors, event-stream), even if it's just their dev/local environment. |
not if you consider the dev environment as privileged and require the lockfile (I'm assuming their fork the repo). Unless the dependency is updated via a PR, it won't immediately be pulled in by developers, right? If you're thinking of catching malware, I agree it won't do that. But I think that's a different problem. Wdut? |
Hello 👋 Again another interesting discussion as #10
If a dependency is compromised and you don't have a lock file you instantly and implicitly get the malicious package by running If a dependency is compromised for it to reach the lock file (assuming it's committed to source control) the following needs to happen:
Also once the lock file is committed to source control it can be verified by automated tools like GitHub security alerts, etc. I'd say the second flow reduces the risk of a malicious package reaching developers machines, especially if before updating dependencies you verify a number of "stable" days, see https://docs.renovatebot.com/configuration-options/#stabilitydays.
@lirantal I'd say dev/local environment are privileged and should use a lock file.
I think that makes sense and you can see a use case for it in the AVA repo of installing without a lock file and running tests https://github.com/avajs/ava/blob/91f5254d7bfb6c658d0e89f48a852b92b70e31da/.github/workflows/ci.yml#L85. |
Closing this as resolved with #25. If anyone wants to continue the discussion, we'll re-open and continue. |
(Note: I will leave aside the npm-shrinkwrap.json since it's discussed separately in #10)
In this issue, I'd like to propose a change to the recommendation w.r.t lockfiles.
The OSSF (e.g., via the Scorecard's Pinned-Dependency checks) has been encouraging lockfiles, a.k.a. "hash dependency pinning".
The main advantages of lockfiles are the following:
There has been feedback, e.g. by @ljharb in ossf/scorecard#1826 (comment) and #10 (comment) that lockfiles, in some scenarios, have disadvantages.
The main drawback highlighted by @ljharb is dev lock files. A dev lockfile is one that is used by the maintainer of a project, call it
P
.P
relies on a set of dependencies:PP
s. All tests may be passing forP
, yet some bugs are reported by consumers because of a drift inPP
versions.As a results, consumers have a poorer experience, since they hit bugs (possibly in prod), need to file issues for
P
, etc. @ljharb describes it asit's [...] important to ensure that maintainers are notified as early as possible about issues in their dep graph.
.Since the benefit of lockfiles is prod and their absence is motivated by catching bugs early, I'd like to suggest rephrasing the recommendation to (roughly):
This is just a rough draft, but I'd like to hear your opinion whether it would address some of the concerns that were raised.
/cc @lirantal, @soldair
The text was updated successfully, but these errors were encountered: