Replies: 2 comments 2 replies
-
Against what?
That should be filled against GitHub; they certainly should improve their interface and better surface "dangerous" changes. |
Beta Was this translation helpful? Give feedback.
-
Is this file unique for each user?
But the actual file is minified, so it won't do any good if GitHub will allow exploring this file, regular user won't ever notice some extra code inserted somewhere in between. |
Beta Was this translation helpful? Give feedback.
-
True (although seeing random changes in a minified file should always raise suspicion and generally prevent a PR from being merged). In general anyway we're moving towards Corepack for distributing Yarn, which should make this problem moot. |
Beta Was this translation helpful? Give feedback.
-
Sounds good! Can we at least do some warning section in documentation for OSS maintainers about this? It may sound a bit obvious, but probably not all maintainers knows, that merging big diffs may be bad. But yeah, I understand, it isn't actually about yarn, but more about general security considerations. |
Beta Was this translation helpful? Give feedback.
-
By default, yarn2 needs to store a .cjs file in the project repo, the issue is that a malicious user can update this file to the latest version(e.g. 3.1.0 -> 3.1.1) and inject any code into it. Even worse, GitHub won't even show the diff between versions.
So I've updated local yarn version to the latest, added console log to the start and opened PR to check how it looks.
Now, every time I do
yarnit will execute code I've pasted before.Can original yarn package at least verify the checksum of this file before running it?
cc @ai
Beta Was this translation helpful? Give feedback.
All reactions