Guidance and practice around production deployment

[jchip]

Hello, during the Jan 28, 2019 package maintenance meeting, we discussed issues with npm install running preinstall/install/postinstall scripts from packages automatically and that's becoming a concern for users and enterprise deployment of NodeJS.

Meeting minutes: https://github.com/nodejs/package-maintenance/blob/master/meetings/2019-01-28.md

There are three main stages that we are concerned with this:

• regular user running npm install for their development
• npm install during CI builds
• npm install during deployment to dev/staging/production

That last one is a not a good practice to start with, but it happens.

This is mainly a concern for npm and Tierney has opened a discussion here https://github.com/nodejs/package-maintenance/blob/master/meetings/2019-01-28.md and there's been some very good conversations and a talk of an RFC.

I am opening an issue here to keep security WG in the loop and if there's any guidance around this.

Thanks.

[lirantal]

Thanks for the heads up @jchip and great work with allow-scripts.
Would be happy to see npm get improvements on this

[MarcinHoppe]

I just read notes from package maintenance meeting and I agree this is a problem that needs to be addressed through guidance or (ideally) tooling.

@jchip The only document that I am aware of that discusses risks coming from using 3rd party code is the Node Security Roadmap. Did you have a look at it (specifically this chapter)?

[jchip]

@MarcinHoppe thanks for the info and they are very helpful. We are practicing most of the things outlined in the chapter. The key thing though is that our local registry is syncing up with the public registry automatically.

[MarcinHoppe]

@jchip Does the package maintenance WG feel this is something that the Node.js Foundation should guide developers on? Perhaps adding a Security concepts section to https://nodejs.org/en/docs/guides/ ?

[mhdawson]

@MarcinHoppe I think providing security guidance makes sense, likely driven by the Security WG.

[jchip]

Actually, at the moment all solutions discussed at npm level is to deny/allow npm scripts during install. If Security WG has any thing in the pipeline to make NodeJS a safe sandbox for executing JS, we could RFC npm to detect JS scripts and execute them in safe mode.

[MarcinHoppe]

I am not aware of anything in this space that would be useful in the short term.

I will start another discussion around missing guidance.

[MarcinHoppe]

@mhdawson I started #488 to discuss missing guidance.

[mhdawson]

@MarcinHoppe thanks, looks like a great start:)

[github-actions]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.