Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of package-lock.json is effectively removing a key supply chain security feature #2081

Open
the-gabe opened this issue Sep 9, 2024 · 0 comments
Open

Lack of package-lock.json is effectively removing a key supply chain security feature #2081

the-gabe opened this issue Sep 9, 2024 · 0 comments
Labels
CI/infra CI & infrastructure security
Milestone
24Q4

Comments

@the-gabe
Copy link

the-gabe commented Sep 9, 2024
edited by chalin
Loading

In #920 it has been discussed that there will be no package-lock.json I would strongly urge for this to be reconsidered, given that a package-lock.json is responsible for distrusting npmjs.org on a TOFU basis. It is a fundamental important security feature to have a package-lock.json, otherwise blindly trusting what is on npmjs.org, every single time "npm install" is executed seems like just an objectively bad idea.
@the-gabe the-gabe added bug Something isn't working needs-triage labels Sep 9, 2024
@chalin chalin added CI/infra CI & infrastructure and removed bug Something isn't working needs-triage labels Oct 3, 2024
@chalin chalin modified the milestones: 24Q3, 24Q4 Oct 3, 2024
@chalin chalin added the security label Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CI/infra CI & infrastructure security
Projects
None yet
Milestone
24Q4
Development

No branches or pull requests
2 participants
@chalin @the-gabe