[RRFC] add message (or opt-out support) for non registry tarball URLs

[thescientist13]

Motivation ("The Why")

This came up during one of the recent RFC meetings a couple weeks ago, and so just wanted to capture it for posterity. I also think it would be a nice feature to have for the security conscious among us.

Example

Whenever a command is run, like npm i that otherwise adds / updates installed packages on disk, if any package is NOT coming from a registry (e.g. a tarball URL), then a message should be presented to the user.

For example a package.json like this would trigger a message

{
  "dependencies": {
    "@babel/cli": "^7.4.0",
    "eslint": "git+https://github.com/eslint/eslint.git"
  }
}

---

I speculate that it might only need to apply to transitive dependencies because presumably as an author, if you are setting it for your direct dependencies in your own top-level package.json, then that was a conscious choice. Where as you have no control over what's at the end of that tarball URL if it's coming in through a transitive dependency.

How

Current Behaviour

There is no messaging about tarball URLs.

Desired Behaviour

An npm install going forward would message about tarball URLs.

 % npm i     
npm WARN deprecated [email protected]: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
npm WARN eslint installed from tarball URL <URL>

added xxx packages, and audited xxx packages in 8s

...

Additionally, is there value in having the operation fail if the user wants to opt-out of tarball URLs entirely? The rationale being that if the package is installed, but only a message is shown, and if that package is malicious, then it is already too late by that point to avoid any harm.

Some users may want to explicitly opt-out of any anything that does NOT come from a registry, and so the command should fail immediately at that point.

$ npm install --no-tarball-urls

References

• n/a

[ljharb]

I would still want it on direct dependencies; i might set the flag in npmrc and a coworker might unknowingly install a direct non-registry dep.

[ljharb]

The behavior I’d want is to configure either silent, warn, or fail the install. The non-semver-major default should be “nothing”, and probably in v9 should change to “warn”.

[thescientist13]

Some feedback from the call, prior to opening an RFC

• warn by default for direct dependencies
• hide by default for transitive dependencies
• flag to enable deeper level of transparency + action-ability via flag (e.g. to fail the build, or at least warn about transitive dependencies, etc)

[darcyclarke]

Closing: discussion can/should move to the new RFC/PR (ref. #593)

[Andreitha22]

Gcvnkmnj

[Andreitha22]

Gcvnkmnj