Re: [NodeJS NPM] security concerns

Op 2 okt. 2013, om 00:57 heeft Pedro Worcel <pedro@worcel.com> het volgende geschreven:

NPM nodejs package manager doesn't check for https signatures comunicating with the central repo, which could give an attacker with MITM capabilities the possibility to execute code.

The issue is here.

The maintainer considers this to be a bug that is on his "eventually" list.

I'm not quite sure what the actual issue is at this moment.

The referenced Github issue is 2 years old. The current version of NPM does appear to check certificates. See config option 'strict-ssl' which is 'true' by default. I also checked the actual code - it *does* check the ssl cert if strict-ssl is true, relying on this library: https://github.com/mikeal/request. Which in turn does appear to do the right things.

Rgds,

Jeroen

Reply to:

References:

[NodeJS NPM] security concerns
- From: Pedro Worcel <pedro@worcel.com>