Collaborate Disseminate
I was thinking about how to ensure the authenticity of Node.js packages that are installed from a public registry like npmjs.com. The only mechanisms (optionally) in place to my understanding are:
ECDSA registry signatures. Which to my un… Continue reading How can authenticity be ensured for Node.js packages when using a public registry like npmjs.com?
Ubuntu snap is quite a hot topic. Therefore I am curious, what security risks are known for it?
Which misconfigurations are possible? And are there any misconfigurations which can be used to escalate to root user?
Continue reading Ubuntu – snap potential security issues (for privilege escalation)
Assuming you have full trust in your package manager i.e. pip or npm (not to be compromised and leak your packages). And you have full trust in your developers to always install the correct packages.
i.e.
npm publish –access restricted
Does the GNU GUIX package manager in require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified because the repo’s man… Continue reading Does GUIX provide cryptographic authentication and integrity validation?
I would like to restrict the installation of npm package in some projects of my company to releases that are at least X weeks old.
The reason for that being that given enough time before installing a package version, it is likely that if t… Continue reading Only install packages that are at least X weeks old [migrated]
I use the Windows Package Manager (winget) to automate app installs on Windows, but I’ve got a MacBook Air M3 on the way. And while I knew there were various package managers available for that platform, I wasn’t familiar with any of them and was curio… Continue reading Automate App Install on the Mac with Homebrew (Premium)
Does Node.js’s npm package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with ste… Continue reading Does Node.js’s npm provide cryptographic authentication and integrity validation?
I am specifically looking at the npm package metadata like from the lodash package, the relevant part which is this:
{
"shasum": "392617f69a947e40cec7848d85fcc3dd29d74bc5",
"tarball": "https://registr… Continue reading How is the npm package manager made robust security-wise, what are the keys they are using, and how do they use them?
I am wondering how to distinguish (password) prompts that the OS issued from prompts that are delivered application-side. This question first occurred to me when considering Firefox master passwords, but it just occurred to me that install… Continue reading Distinguish origin of password prompts
Does npm ensure that the packages are not spying on your data, saving it somewhere or is it the responsibility of the developer to ensure it? Can I confidently use the moderately well-known packages without the data being saved and mishand… Continue reading Security and data protection reviews of npm packages