- NPM DEVDEPENDENCIES VS DEPENDENCIES INSTALL
- NPM DEVDEPENDENCIES VS DEPENDENCIES UPDATE
- NPM DEVDEPENDENCIES VS DEPENDENCIES FULL
- NPM DEVDEPENDENCIES VS DEPENDENCIES SOFTWARE
There's no built-in permissions system or anything like that so the possibilities are pretty much endless apparently.
NPM DEVDEPENDENCIES VS DEPENDENCIES FULL
Security StackExchange is full of other suggestions how it might get abused. and other possibilities that generally malware has.
Obfuscate itself to hide malicious code.
NPM DEVDEPENDENCIES VS DEPENDENCIES INSTALL
Since it has filesystem access it could mess with your filesystem and possibly in theory in extension for example install rootkits.Now to the main part of the question - what possible harm could it do? Since it executes any arbitrary code ignoring the fact that the V8 (still in 2021 it's considered the most secure JavaScript engine) includes a great Sandbox for which Google put a lot of work to get secure and going in blind without any code review it could mean one of the following: Now the real danger is that Bash/PowerShell/Batch files and Binaries could also be executed this way, which is a big yikes! Of course it's up to the user in some cases to first include the required files, but there are exceptions like fake (simulated) APIs, localhost servers like used in Angular (you run it with ng serve, which actually by default does not contain even self-signed SSL certificates) and etc. While running the npm start command and the dev env set to development or running a special command (like npm run dev, where dev is a special script which starts up a local development environment as specified in package.json), which executes the devDependencies specified in the package.json. I would like to also know the possible mitigation options.
NPM DEVDEPENDENCIES VS DEPENDENCIES SOFTWARE
What I am asking is whether attacker can exploit the vulnerability of "benigh" development dependency to harm the software I am developing in the developing phase. My question is different, since in this case I am asking whether the development dependency itself can have malicious code that could be injected by attackers, so that the development dependency would become malicious. However, from what I know, the key of supply chain attack is to inject malicious code into development dependencies, such as the well renown SolarWinds attack. Note: The answers to other related questions mention supply chain attacks. For example, ESlint(linter), Mocha (test framework), and Webpack (module bundler).Īre the vulnerabilities in those development dependencies or other related development dependencies exploitable during the development phase? If yes, then are there any examples? Let's take JavaScript as an example which uses npm as the central package registry.Īccording to the definition, devDependencies (development dependencies) should contain packages which are used during development or which are used to build your bundle.
NPM DEVDEPENDENCIES VS DEPENDENCIES UPDATE
I am well aware that the best approach is to update any dependency, no matter whether it is a development dependency or a runtime/production dependency.īut from a research prospective, I want to know whether a vulnerability in development dependencies has the chance to be exploited.
0 kommentar(er)
