Lock-down dependencies with npm shrinkwrap #95
Comments
|
Thank you Dan! |
|
With this in and with the new configuration management and CLI executable, perhaps its a good time to consider publishing btc-rpc-explorer to the NPM registry? |
|
You're welcome! And yes, I'm on board for publishing. Haven't done it before but it looks super simple - just signed up with npmjs.com and logged in via cli. Now it's just |
|
Yes, super simple indeed, just Other than that, yes, you should think about bumping the version and issuing a new release when you feel things are stable. NPM makes that pretty easy, running |
|
Ah very cool. Thanks for the info, as always :) |
|
Awesome! I'll send a PR to update the installation instructions :) |
The
npm shrinkwrapfeature allows locking-down the package dependencies even when installed as an npm package and not manually from source. It is generally recommended to enable this for top-level apps like daemons and CLI tools, but not for libraries intended to be used as part of a larger app.Other than ensuring a consistent environment and preventing dependency issues, locking down to specific versions also has the security advantage of package updates having to be explicit. To give a recent example, automatic updates of packages down the dependency tree helped enable the Copay hack just a few months ago. With
npm shrinkwrap, the malicious version of theevent-streamdependency wouldn't be installed unless the copay developers explicitly updated their deps inside the time window whereevent-streamwas vulnerable -- which is still possible, but much less likely.To enable shrinkwrap, just run
npm shrinkwrap, which will rename thepackage-lock.jsonfile tonpm-shrinkwrap.json, and check that in.There's some more information on shrinkwrap on the npm blog (from the web archive, appears to be unavailable on the website for some reason).
The text was updated successfully, but these errors were encountered: