Proof of Concept to ensure consistency between NPM packages and their source code TL;DR; SNPM is a Proof of Concept built to ensure consistency between what is published on the NPM registry and its open source counterpart on public repositories, like Github. Unsplash At the end of April, and so NPM .One of the major feature introduced with version 6 is about : I’m talking about .This new command allows the user to perform an _“assessment of package dependencies for security vulnerabilities helping the user to protect their package’s users from known vulnerabilities that could cause data loss, service outages, unauthorized access to sensitive information and so on”._That’s a huge improvement that NPM team has done for the entire community. Node.js 10 was released announced npm@6 security npm audit However, I think . they didn’t catch the real problem A major security leak At the beginning of 2018 was publishing what would become about the fragility of NPM ecosystem security.What David did then was of NPM model. @david.gilbertson a stunning article exposing a major security leak In few words: what is published on the NPM registry may differ from what you see on Github. Usually, a NPM package has its source code published on Github (or hosted on another public repository), giving users the ability to verify the project and contribute.However, when someone publishes a new package on NPM no one can say that what has been uploaded is exactly what has been published on Github.This means that you can upload a malicious code on NPM and then publish a different harmless code on Github, and users won’t realize it. Not immediately, at least. This weakens the foundation of the Open Source ~ Paolo Sinelli How can we trust a system that allows users to share closed source code without any way to verify its authenticity? Funny fact: in these very days, .Someone found it inside the source code and alerted users so the compromised package was finally taken down.This is the proof that having access to the source code allows the community to prevent and cure bad situations. a backdoor has been spotted on a Python package named ssh-decorator SNPM for the rescue So, After David’s article, I started creating a to avoid these situations with NPM.It is called and I’ll try to explain how it works in few simple steps. Proof of Concept Secure NPM (SNPM) Disclaimer : SNPM is calibrated for compiled (binaries) and transpiled packages but it can be adapted also for plain packages. First, when the author wants to publish a new version of their package, they and of the compiled output. build the sources calculates the checksum Build sources Then, they need to with the new version and the checksum. called where the author can store checksums of its code. update the package.json CommonJS provides a field checksums Update package.json Now they can it on Github (or another public repo) with a new tag. release Release on a public repository At this point, they can it on NPM via SNPM: it will send just few data, such as the package version, the public repository url and the checksum.This differ from “ command because it won’t send the whole source code, nor the compiled files, but just those three information above. publish npm publish” Publish on NPM, using SNPM NPM is now in charge of from the public repo. fetching the released version Fetch released version tar.gz NPM can now the checksum by performing a series of actions: validate installing all the dependencies, via npm install building the sources, via npm run build of the compiled files calculating the checksum verifying the checksums Reproduce and verify the checksum At this point, NPM has all the information to with a successful answer or with an error. reply Reply to the publish request That’s it.Following the summarized algorithm: SNPM algorithm The main difference between NPM and SNPM is that (compiled) sources are not uploaded any more from the (untrusted) author but downloaded directly from the public repo (trusted), where everyone can reproduce the same procedure and verify the checksum. Conclusions Unfortunately, doesn’t solve this major leak and the issue is still open, especially for binaries and minified .We (as a community) must get verified and validated packages. npm audit Javascript Anyway, I want to thank the NPM team for their awesome work and I hope this article will push them to improve the security of one of the best package manager ever developed. *** Update *** I’ve created on NPM’s repository, asking for a Feature Request.After that, I’ve added always on the same thread called : as a NPM command, it should reproduce the download-build-checksum verification process, so users can verify packages on the fly. a new issue another proposal npm verify *** Update — July *** I’ve submitted a and . new RFC for NPM one for Yarn
