Published Docker images for v6 are bad?

[ferbs]

I'm trying out Verdaccio using a recently published Docker image (6.0.0-beta.1) and noticed that the files within the container don't seem to correspond with the src in this repo.

In particular, I looked at api/publish.js to see why mine was failing but the image's publishPackage function is very different from @verdaccio/[email protected] or any other commit here. It's almost identical to the file extracted from the v5.29 docker image--that source code is somewhere else?

Extracted not-v6-beta-1.publish.js.txt using:

docker run --entrypoint sh --user root verdaccio/verdaccio:6.0.0-beta.1 -c 'cat /usr/local/lib/node_modules/verdaccio/build/api/endpoint/api/publish.js' > not-v6-beta-1.publish.js

[juanpicado]

Thanks I'll check but 🤔 seems odd to me, the beta should have @verdaccio/[email protected] versions.

[ferbs]

It looks like individual packages use fixed/shared versioning, not independent, so why not tag the docker image the same?

I can't find a match in git for the "function publishPackage" that's running in docker. (It begins by setting up a tarball stream, publish.js attached above.) Can you please point me to that source code?

[ferbs]

I tried to do a docker build out of curiousity but it seems to require some host setup (fails at Cannot find module '@verdaccio/web') so I skimmed the Dockerfile instead. It copies all of /opt/verdaccio-build into the target after doing a build, but the recently published images only have a single docker-bin directory there. Did an old version look like that? Maybe some simple mistake on my side or in the versioning or build script but...

It occurs to me that Verdaccio would be a rich target for distributing malware. "Pulls 100M+". Does it get security audits?

[juanpicado]

Extracted not-v6-beta-1.publish.js.txt using:

I never open attached files, is better if you post the content is visible from any device.

I tried to do a docker build out of curiousity but it seems to require some host setup (fails at Cannot find module '@verdaccio/web') so I skimmed the Dockerfile instead

The branch for v6 is 6.x if you want to see the code is there. Regarding releases docker for 6.x does not have "official" release yet, only npmjs anyhow on the branch 6.x the tag 6.x-next and I don't expect release any docker until 5.x is replaced.

It occurs to me that Verdaccio would be a rich target for distributing malware. "Pulls 100M+". Does it get security audits?

🤷🏼 project uses tooling for security health like Snyk and socket security lately for dependency discovery, also sometimes https://github.com/NodeSecure/vulnera locally.

https://snyk.io/advisor/npm-package/verdaccio

Anyhow, aside of that :) all visitors here might have seen https://github.com/verdaccio/verdaccio/blob/master/SECURITY.md and know what to do if someone finds something + you might have noticed renovate update quite often dependencies, but as any software nothing is perfect.

I hope that answer your question.

[ferbs]

What's actually being published to the v6 docker images is different from what you think is landing there.
The publishPackage function in docker looks about the same as what's published to npmjs as v5. I don't see that v5 src anywhere in this repo though, so how's it getting into the published image?
I can think of non-sinister ways (eg, accidentally pinning to an old dependency; external script pushing incorrect version to VERDACCIO_BUILD_REGISTRY) but it could potentially be something less innocent. Either way, needs investagation, the v6 docker images are off.

[juanpicado]

I'll check thanks for reporting.

[ferbs]

@juanpicado I just took a look at the 6.0.0-beta.2 docker image and it seems to have the same problem. My mistake or is the build system buggy?