Exclude scripts property from coherence check in NPM packages upload
🔭 Context
In the NPM package registry, when a package is uploaded, a background job will "process" it. At this time, different checks are executed.
One of them is called the manifest coherence check. In short words, when a NPM client uploads a package file, it sends:
- a tarball file (that's the file that is uploaded).
- a set of upload parameters (the upload payload).
The coherence check is there to make sure that (1.) and (2.) are coherent. Among the different fields, we check the scripts
property.
The check is currently implemented as scripts
in (1.) has to be the exact same than in (2.).
NPM clients (in particular, $ npm
) does auto corrections on the package.json
file content before sending it in the upload payload. The problem we discovered in gitlab-com/gl-infra/production#18253 (closed) is that in their usage, they will auto correct what is in (1.) to build (2.).
For example, when $ npm
inspects scripts
, it will remove any ./node_modules/.bin/
suffix from any script. So, in the tarball's package.json
, the scripts
can be like:
{
...
"scripts" : { "foo:bar" : "./node_modules/.bin/bar arg1 arg2" }
...
}
And what will be sent in the upload request payload will be autocorrected to be like:
{
...
"scripts" : { "foo:bar" : "bar arg1 arg2" }
...
}
Now, what happens with our coherence check? (./node_modules/.bin/bar arg1 arg2
vs bar arg1 arg2
) Yes,
Based on that above, we checked with the Application Security Team if we can exclude the scripts
property from the coherence check, and we received their approval.