remoteStorage

Http:// URLs in package-lock.json


#1

I notices some URLs in package-lock.json use HTTP instead of HTTPS. In particular:

events-1.1.1
get-stream-3.0.0
p-is-promise
sha.js
readable-stream-2.3.6
wrap-ansi

minimist-1.2.0
jsesc-0.5.0
browserify-aes-1.2.0
create-hash-1.2.0
create-hmac-1.1.7
diffie-hellman-5.0.3
parse-asn1-5.1.1
readable-stream-2.3.6

All of these are for NPM, which thoroughly supports HTTPS.

Is this adequately secure in the current threat environment of the Internet?


#2

The file is automatically created and updated. Do you know how to configure npm to use https for those?


#3

Did some digging, and found this: https://npm.community/t/npm-install-downgrading-resolved-packages-from-https-to-http-registry-in-package-lock-json/1818/14

This original issue is still open on GitHub: https://github.com/npm/npm/issues/20106

Apparently it’s a server-side problem. Some people are replacing the URLs locally using a script after updating the lockfile.


#4

I have a commit (https://github.com/remotestorage/remotestorage.js/commit/4685d1aaef01299438e8c99e967bcdfff46a6078) which adds a postshrinkwrap script to avoid http/https churn in package-lock.json, but I’m still disentangling some earlier things. If anyone wants to cherry-pick that commit, go ahead.


#5

Works like a charm! I edited the commit messsage a bit, and opened a pull request: https://github.com/remotestorage/remotestorage.js/pull/1144