The NPM package is considered a security risk


#1

I just deleted brave-bin (installed from the AUR) & went to install brave-git as I hear there are less bugs.

I was blocked from installation due to my having nodejs blocked in my /etc/pacman.conf IgnorePkg= section.

None of my other browsers use npm which lists nodejs & semver as dependencies.

Is it possible to compile Brave without npm?

I’ve tried by editing out npm in the PKGBUILD but the git clone & compilation process must pull in more instructions that cause a failure due to npm not being available.


#2

Some intrepid hackers have used yarn to mixed result, tracking support for it here : https://github.com/brave/browser-laptop/issues/6437


#3

Thanks @alex

I read the page that you linked to. Looks like unfortunately it really doesn’t bode too well re. an escape from NPM/node.js at this stage (I’ve been educating myself & I starting to wonder if escape is possible at all?).

I’ll keep hoping that a way around the security/privacy issues inherent in NPM/node.js will be removed from Brave by the Brave dev team.

I appreciate why the likes of NPM exists, it is in some ways Java dev heaven. Unfortunately it connects to just too much unknown code & code creators.

What my discovery of node.js has done is make me aware of the security issues in most (if not) all web browsers. Those that I have installed as -bin files are certainly including NPM/node.js in their builds.

So how the hell do we find a way to surf the web in a secure/private fashion these days?

I try (as a political statement - no one asked my permission to track/profile me). :frowning:


#4

Hi Handy,
What are the risks exactly? One executes unaudited/malicious code (that’s part of the browser)?


#5

@fatboy I wrote a question looking for more technical knowledge about this problem in the Manjaro off-topic section of the forum. A copy of it follows:

[quote]I’ve very recently become aware of node.js & its filemanager npm & what looks like the immense security issues that they bring with them.

node.js/npm look to me to be being used by all web browsers & likely just about every other application that uses JavaScript.

This page is worth a read & it is pro-node.js/npm:

If things are as they look to me to be then there are appalling security vulnerabilities that JavaScript brings via node.js/npm.

Which means that nomatter how many precautions we take in an effort to secure our browsers for privacy (in particular) we are left with a HUGE gaping hole that is a backdoor for anyone who is serious about invading internet user privacy (at the very least).

A serious threat could be mounted by those with the resources, to create many (100’s of useful) JavaScript files that would be attractive to other JavaScript dev’s to use (or parts of them), as these files would via node.js/npm make the dev’s life so much easier when it comes to producing their finished product.

These (possibly 100’s or more) files could include
security/privacy/tracking code built in & it would never be noticed by the people that use these files.

Does anyone here have any technical knowledge about this situation that they would like to share in an effort to improve our (my atleast) understanding of this situation?[/quote]


#6

I’m really worried about this.

  1. Is there any way that Brave could be built without NPM package(s)?

Another question 2) Is only the brave-bin from the AUR a problem? Or is the installed *.deb/rpm file also a problem?


#7

Dear Brave Devs,
Are you aware of this?


#8

Just commenting so I can get notified of updates.


#9

FYI recently we have started using package-lock.json to verify the SHA hash of the packages.

With package-lock.json, making semver more strict such as removing ~ and ^ and requiring security audit on every update of package.json would reduce the security risk.

What do you guys think about that?


#10

After removing semver specifications, it would be updated with npm-check-updates like this:

Run ncu with -u to upgrade package.json

Brave-MacBook-Pro:browser-laptop Suguru$ ncu
Using /Users/Suguru/browser-laptop/package.json
βΈ¨β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘βΈ© β Έ :
 acorn                                            3.2.0  β†’          5.1.2 
 aphrodite                                        1.1.0  β†’          1.2.4 
 async                                            2.0.1  β†’          2.5.0 
 bignumber.js                                     4.0.4  β†’          4.1.0 
 clipboard-copy                                   1.0.0  β†’          1.2.0 
 compare-versions                                 3.0.1  β†’          3.1.0 
 electron-localshortcut                           0.6.0  β†’          2.0.2 
 file-loader                                     0.11.2  β†’          1.1.5 
 font-awesome                                     4.5.0  β†’          4.7.0 
 font-awesome-webpack                             0.0.4  β†’   0.0.5-beta.2 
 fs-extra                                         2.1.2  β†’          4.0.2 
 immutable                                        3.7.5  β†’          3.8.2 
 immutablediff                                    0.4.2  β†’          0.4.4 
 l20n                                             3.5.1  β†’          5.0.0 
 lru-cache                                        1.0.0  β†’          4.1.1 
 moment                                          2.15.1  β†’         2.18.1 
 parse-torrent                                    5.8.1  β†’          5.8.3 
 prettier-bytes                                   1.0.3  β†’          1.0.4 
 prop-types                                      15.5.6  β†’         15.6.0 
 punycode                                         2.0.0  β†’          2.1.0 
 react                                           15.6.1  β†’         16.0.0 
 react-dnd                                        2.1.4  β†’          2.5.4 
 react-dnd-html5-backend                          2.1.2  β†’          2.5.4 
 react-dom                                       15.5.4  β†’         16.0.0 
 tldjs                                            1.6.2  β†’          2.2.0 
 babel                                           6.1.18  β†’         6.23.0 
 babel-core                                      6.3.15  β†’         6.26.0 
 babel-loader                                     7.1.1  β†’          7.1.2 
 babel-plugin-transform-react-constant-elements   6.4.0  β†’         6.23.0 
 babel-plugin-transform-react-inline-elements     6.4.0  β†’         6.22.0 
 babel-polyfill                                  6.3.14  β†’         6.26.0 
 babel-preset-env                                 1.1.6  β†’          1.6.0 
 babel-preset-react                              6.1.18  β†’         6.24.1 
 babel-register                                  6.3.13  β†’         6.26.0 
 babel-runtime                                   6.3.13  β†’         6.26.0 
 base64-js                                        1.2.0  β†’          1.2.1 
 chai                                             3.4.1  β†’          4.1.2 
 chai-as-promised                                 5.1.0  β†’          7.1.1 
 co-mocha                                         1.1.2  β†’          1.2.0 
 cross-env                                        3.1.4  β†’          5.0.5 
 electron-builder                                17.1.1  β†’        19.35.1 
 enzyme                                           2.9.1  β†’          3.1.0 
 flow-bin                                        0.53.1  β†’         0.56.0 
 git-rev-sync                                     1.8.0  β†’          1.9.1 
 gulp                                             3.9.0  β†’          3.9.1 
 joi                                             10.2.2  β†’         11.3.3 
 jsdom                                           11.2.0  β†’         11.3.0 
 json-loader                                      0.5.4  β†’          0.5.7 
 jsonfile                                         2.2.3  β†’          4.0.0 
 less                                             2.5.3  β†’  3.0.0-alpha.3 
 less-loader                                      2.2.1  β†’          4.0.5 
 mocha                                            2.3.4  β†’          4.0.1 
 node-gyp                                         3.3.1  β†’          3.6.2 
 node-static                                      0.7.7  β†’         0.7.10 
 nsp                                              2.2.0  β†’          2.8.1 
 react-addons-perf                               15.2.1  β†’         15.4.2 
 react-addons-test-utils                         15.4.1  β†’         15.6.2 
 react-test-renderer                             15.5.4  β†’         16.0.0 
 request                                         2.81.0  β†’         2.83.0 
 sinon                                           1.17.6  β†’          4.0.1 
 standard                                         9.0.0  β†’         10.0.3 
 style-loader                                    0.18.2  β†’         0.19.0 
 uuid                                             3.0.1  β†’          3.1.0 
 webdriverio                                      4.7.1  β†’          4.8.0 
 webpack                                          3.4.1  β†’          3.6.0 
 webpack-dev-server                               2.6.1  β†’          2.9.1 
 webpack-notifier                                 1.2.1  β†’          1.5.0 
 xml2js                                          0.4.15  β†’         0.4.19 

Does it seem to be better to update like this than letting auto update with npm install with semver?


#11

FYI: I opened a PR to propose to replace carets with tildes to accept only minor updates.

https://github.com/brave/browser-laptop/pull/11493

If it is accepted, it could be a step to remove semver ultimately.