Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin dependency versions #522

Open
AlMcKinlay opened this issue Mar 23, 2016 · 1 comment
Open

Pin dependency versions #522

AlMcKinlay opened this issue Mar 23, 2016 · 1 comment
Labels
ready

Comments

@AlMcKinlay
Copy link
Contributor

I'd like to pin all our dependency versions. The pad-left debacle has confirmed something to me:

09:31 &YaManicKill Yeah, it might be fine because we don't use pinned versions (but...we probably should, now that I've thought about some things today)
09:31 &YaManicKill Because technically, someone can unpublish something, someone else can then take that name and publish new code with a patch version number update, and include malicious code.
@AlMcKinlay
Copy link
Contributor Author 

#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
    | sed 's/^\(.*\)$/\/\1$/' \
    > ~/suspicious-packages.txt \
    && npm ls --parseable \
    | grep -f ~/suspicious-packages.txt

That can be run to find out if any of our packages were one of the ones pulled btw, and then we can check we won't download a new "malicious" version of it.

@AlMcKinlay AlMcKinlay added ready and removed next labels Jun 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ready
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlMcKinlay