Skip to main content
Information Security

Questions tagged [package-manager]

Ask Question

A package manager is a tool that automates the installation, updating and removal of software.

60 questions
Newest Active Bountied Unanswered
0 votes
0 answers
39 views

Does the chocolatey package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them? I usually trust my OS ...
Michael Altfield's user avatar
  • 1,196
0 votes
1 answer
31 views

Does the cygwin package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them? Fortunately, it's possible to ...
Michael Altfield's user avatar
  • 1,196
1 vote
2 answers
101 views

Does the npm package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them? I see a lot of guides providing ...
Michael Altfield's user avatar
  • 1,196
3 votes
1 answer
219 views

In recent days, a significant number of NPM packages got compromised in quite sophisticated, worm-like supply chain attacks (cf https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-...
cis's user avatar
  • 417
0 votes
0 answers
72 views

On a private bug bounty, i encountered the below scenario and I was wondering whether it was possible to perform a dependency confusion attack, or not. The package.json looks like this: { "name&...
wkrf's user avatar
  • 1
1 vote
1 answer
76 views

Does PHP's Composer package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them? I see a lot of guides ...
Michael Altfield's user avatar
  • 1,196
1 vote
1 answer
145 views

I was thinking about how to ensure the authenticity of Node.js packages that are installed from a public registry like npmjs.com. The only mechanisms (optionally) in place to my understanding are: ...
Bob Ortiz's user avatar
  • 7,725
1 vote
0 answers
105 views

Ubuntu snap is quite a hot topic. Therefore I am curious, what security risks are known for it? Which misconfigurations are possible? And are there any misconfigurations which can be used to escalate ...
hilmbert's user avatar
  • 29
0 votes
1 answer
174 views

Assuming you have full trust in your package manager i.e. pip or npm (not to be compromised and leak your packages). And you have full trust in your developers to always install the correct packages. ...
Marc's user avatar
  • 1
1 vote
1 answer
211 views

I am specifically looking at the npm package metadata like from the lodash package, the relevant part which is this: { "shasum": "392617f69a947e40cec7848d85fcc3dd29d74bc5", &...
Lance Pollard's user avatar
  • 726
4 votes
1 answer
212 views

I am wondering how to distinguish (password) prompts that the OS issued from prompts that are delivered application-side. This question first occurred to me when considering Firefox master passwords, ...
user avatar
0 votes
3 answers
233 views

Does npm ensure that the packages are not spying on your data, saving it somewhere or is it the responsibility of the developer to ensure it? Can I confidently use the moderately well-known packages ...
user290234's user avatar
  • 1
1 vote
3 answers
523 views

The risks of supply chain attacks on software libraries is well documented, however, I have not seen much on OS packages/dependencies. How important is it to both 1) pin OS dependencies (apt,rpm,etc.) ...
user58446's user avatar
  • 573
1 vote
0 answers
120 views

Does Firefox's built-in installer for addons/extensions validate its payload's authentication and integrity for all files it downloads before actually installing them? I avoid in-app updates because, ...
Michael Altfield's user avatar
  • 1,196
1 vote
0 answers
686 views

I have a Node.js app which has a lot of npm-dependencies, running on Linux (Centos) machine. When Node starts, the script has access to the files outside its directory (as least by default), so ...
Oleg's user avatar
  • 309

15 30 50 per page
1
2 3 4