Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Use yarn for package management #2430

Closed
g-k opened this issue Mar 20, 2017 · 7 comments
Closed

Use yarn for package management #2430

g-k opened this issue Mar 20, 2017 · 7 comments
Labels
build Related to our build process security Security issue: can be an active issue, or related to security hygene

Comments

@g-k
Copy link
Contributor

g-k commented Mar 20, 2017

see also: https://github.com/mozilla-services/foxsec/issues/134

A compromised package or MITMed dependency could npm run arbitrary scripts as part of an install: https://docs.npmjs.com/misc/scripts

This can be fixed by using npm install --no-script.

However, https://yarnpkg.com/ will also validate package contents against a checksum which is preferable.
@jvehent jvehent added the security Security issue: can be an active issue, or related to security hygene label Mar 20, 2017
@ghost ghost added this to the Screenshots in 54 milestone Mar 20, 2017
@dannycoates dannycoates self-assigned this Apr 11, 2017
@johngruen johngruen assigned jaredhirsch and unassigned dannycoates Jun 12, 2017
@johngruen johngruen modified the milestones: 55.1, General Release 55 Jun 12, 2017
@johngruen
Copy link
Contributor

@6a68 will take a look

@pdehaan
Copy link
Collaborator

pdehaan commented Jun 12, 2017

@g-k Do you know if there have been any similar checksum additions in latest npm 5 (which is bundled with recent Node 8)? http://blog.npmjs.org/post/161081169345/v500

I know npm 5 also includes a package-lock.json file (similar to the shrinkwrap.json), but wasn't sure if that offered the same functionality as Yarn.

@jaredhirsch
Copy link
Member

From a recent blog post by the yarn team, it seems that the difference is somewhat academic:

npm 5 has stronger guarantees across versions and has a stronger deterministic lockfile, but Yarn only has those guarantees when you’re on the same version in favor of a lighter lockfile that is better for review.

Are there other compelling reasons to switch?

@jaredhirsch jaredhirsch assigned g-k and unassigned jaredhirsch Jun 12, 2017
@g-k
Copy link
Contributor Author

g-k commented Jun 13, 2017

Yeah, this predates npm 5. After finding this I'm not sure yarn is necessarily an improvement. I'll do some testing and update this issue.

@ianb
Copy link
Contributor

ianb commented Jun 13, 2017

Presumably if we stick with npm we'd still want to generate a lockfile and check it in (which we aren't doing now).

@ianb ianb assigned ianb and unassigned g-k Jun 19, 2017
ianb added a commit that referenced this issue Jun 19, 2017
@ianb
Add npm shrinkwrap; fixes #2430
9ee833a
@jaredhirsch
Copy link
Member

@g-k we're going with the easier npm shrinkwrap option for now. feel free to reopen or file a new bug if the recommendation goes back to yarn

@ianb ianb removed this from the 55.1 milestone Jan 10, 2018
@ianb ianb reopened this Jan 10, 2018
@ianb
Copy link
Contributor

ianb commented Jan 10, 2018

We never did npm shrinkwrap, and we've had a lot of problems with npm lockfiles. I think we should reconsider yarn.

@ianb ianb mentioned this issue Jan 10, 2018
Closed
@ianb ianb added build Related to our build process and removed server labels Jan 10, 2018
@ianb ianb removed their assignment Jan 16, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
build Related to our build process security Security issue: can be an active issue, or related to security hygene
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ianb @dannycoates @jaredhirsch @g-k @jvehent @pdehaan @johngruen