SECURITY - NPM Dependency Confusion #2745
Comments
|
Closing as suspicious. @daniel-montalvo could you please have systems team review? |
|
The ARIA Authoring Practices (APG) Task Force just discussed The full IRC log of that discussion<jugglinmike> Subtopic: SECURITY - NPM Dependency Confusion<jugglinmike> github: https://github.com//issues/2745 <jugglinmike> Matt_King: They're asking us to publish our package manifest someplace <jugglinmike> Matt_King: howard-e you might be the best person to address this <jugglinmike> Matt_King: It looks like they want to pin all packages in the package.json file to specific versions <jugglinmike> jugglinmike: what the reporting is describing sounds like the purpose of a package-lock.json file to me <jugglinmike> jugglinmike: This issue appears to be the only public activity of this particular GitHub user account |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary: A Dependency Confusion attack occurs when a software installer script is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository.
A malicious actor can abuse this scenario to create their own NPM package and register it in the public NPM Registry with the same name.
Recommendation: To remediate a potential NPM Dependency Confusion, follow these steps. First, conduct an audit using tools like npm audit or vulnerability scanners to identify vulnerable packages. Next, pin dependencies to specific versions in your project's configuration files (e.g., package.json, yarn.lock) to ensure exact versions are installed. Verify package sources by configuring the
.npmrcfile to use trusted registries, avoiding untrusted or unknown sources. Remove or replace suspicious or unauthorized packages found during the audit, using tools like npm ls to check for conflicting sources. Finally, keep dependencies up to date by regularly reviewing and updating them using package manager commands (npm update, yarn upgrade), ensuring you have the latest versions and security patches.@w3cbot ¿Could you please publish the "aria-practices" package in the official NPM repository, to resolve this issue?
Thanks
The text was updated successfully, but these errors were encountered: