-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve shrinkwrap security by default by using always SHA512 hashes #536
Comments
@zkat: As from what i read you have well analyzed this problem in many situations would you please advise on the best thing to do? I'm also considering crating a package (maybe a grunt plugin) just for fixing the shrinkwrap implementing a trust on first use approach, but i wonder if other projects has followed different approaches. thank you! |
This was referenced Jun 21, 2023
This was referenced Oct 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current behaviour of NPM is to perform a shrinkwrap by using the archived SHA hash stored on the registry at the time of publishing.
This causes a well known behaviour where only packages published using NPM benefits of hashes of type SHA512, while older packages published before continue have only an hash of type SHA1 known to not be resilient about collisions.
This poses severe possible server securiy issues on crytical projects using dependencies published on NPM.
This ticket is to propose the reception of on of the following changes:
References:
https://npm.community/t/sha1-vs-sha512-integrity/3416
https://medium.com/@ldong/stupid-sha-checksum-changes-in-npm-5-4bcb93f40791
Ticket proposal idea defined while working on the GlobaLeaks project.
The text was updated successfully, but these errors were encountered: