dependency-confusion
Andrew Udvare
audvare at gmail.com
Sun Feb 21 22:08:07 UTC 2021
On 21/02/2021 16:43, Rene Engelhard wrote:
> And LibreOffice Online *does* use npm.
>
>
> So while LibreOffice itself shouldn't be affected, conceptually by using
> npm LibreOffce Online is.
I think if you use 'npm install' (or 'yarn install'), the manager should
be pulling in the correct version and then hash checking based on the
contents of the .lock file. Running `npm update`, `npm install <new
package>` or similar may be affected.
The real issue is when a new dependency gets added or updated but
everything seems normal, in that the replacement dependency has stubs to
not make the code crash, but also does nefarious things in the
background. There would be no way to know without deep inspection, and
npm dependency trees are usually huge.
--
Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/libreoffice/attachments/20210221/3b440a67/attachment.sig>
More information about the LibreOffice
mailing list