Description
Motivation ("The Why")
This came up during one of the recent RFC meetings a couple weeks ago, and so just wanted to capture it for posterity. I also think it would be a nice feature to have for the security conscious among us.
Example
Whenever a command is run, like npm i that otherwise adds / updates installed packages on disk, if any package is NOT coming from a registry (e.g. a tarball URL), then a message should be presented to the user.
For example a package.json like this would trigger a message
{
"dependencies": {
"@babel/cli": "^7.4.0",
"eslint": "git+https://github.com/eslint/eslint.git"
}
}I speculate that it might only need to apply to transitive dependencies because presumably as an author, if you are setting it for your direct dependencies in your own top-level package.json, then that was a conscious choice. Where as you have no control over what's at the end of that tarball URL if it's coming in through a transitive dependency.
How
Current Behaviour
There is no messaging about tarball URLs.
Desired Behaviour
An npm install going forward would message about tarball URLs.
% npm i
npm WARN deprecated [email protected]: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
npm WARN eslint installed from tarball URL <URL>
added xxx packages, and audited xxx packages in 8s
...
Additionally, is there value in having the operation fail if the user wants to opt-out of tarball URLs entirely? The rationale being that if the package is installed, but only a message is shown, and if that package is malicious, then it is already too late by that point to avoid any harm.
Some users may want to explicitly opt-out of any anything that does NOT come from a registry, and so the command should fail immediately at that point.
$ npm install --no-tarball-urls
References
- n/a