作为维护者和发布者,如何声明 npm 包中的安全漏洞?
How does one declare a security vulnerability in an npm package as the maintainer and publisher?
当我在自己发布的一个软件包中发现安全漏洞时,我如何标记一系列易受影响的版本,以便下游消费者在 运行 npm audit 时收到通知?
本质上,您本身并没有标记一系列易受影响的版本。相反,您可以通过 “报告恶意软件” 按钮直接向 NPM 报告 it/them,该按钮可以在 www.npmjs.com. The npm Security team then triages the report, and they flag it in the database. Users are then notified accordingly when running the npm audit 命令的特定 npm 包页面上找到。
有关详细信息,请参阅 npm 博客中的 this post。虽然 npm 博客已停用,但据我所知,报告安全漏洞的过程大致相同。
下面引用的是您需要向 NPM 提供的有关漏洞的信息的相关部分...
Source: https://blog.npmjs.org/post/179430064885/writing-quality-vulnerability-reports.html
In order for us to make sure reported vulnerabilities are handled rapidly and effectively, we need you, our community, to provide us with actionable, detailed information. Here’s some basic do’s and don’ts for your security report:
What should be included in a quality security report
- The package name and version where you experienced the vulnerability. Example: marked@1.0.0 or marked@*
- A short description of the vulnerability and its impact. Example: “If a user is able to control input into the function foo then the user is able to execute commands giving the attacker the same access as the user running the application.”
- Details of the environment in which you experienced the vulnerability. Example: “This was found to be exploitable using node.js 6.0.0 on OSX, but was not tested using any other platform or Node.js version.”
- A demonstrable proof of concept or steps to reproduce the same result. This helps the npm Security team efficiently triage the issue (see the example below).
- Any particular references, code snippets, or documents that might help the npm Security team or the maintainer better understand (see the example below).
What should not be reported
- Reports without actionable context are very time-consuming for our team to adequately process. These requests should go to the package maintainer in the form of an issue.
- The output of npm audit - As the npm Security team already knows about these flaws, it’s better to reach out to the maintainer directly to update dependency versions.
- General feature requests
- Stack traces or errors without explanation as to what security impact they have.
当我在自己发布的一个软件包中发现安全漏洞时,我如何标记一系列易受影响的版本,以便下游消费者在 运行 npm audit 时收到通知?
本质上,您本身并没有标记一系列易受影响的版本。相反,您可以通过 “报告恶意软件” 按钮直接向 NPM 报告 it/them,该按钮可以在 www.npmjs.com. The npm Security team then triages the report, and they flag it in the database. Users are then notified accordingly when running the npm audit 命令的特定 npm 包页面上找到。
有关详细信息,请参阅 npm 博客中的 this post。虽然 npm 博客已停用,但据我所知,报告安全漏洞的过程大致相同。
下面引用的是您需要向 NPM 提供的有关漏洞的信息的相关部分...
Source: https://blog.npmjs.org/post/179430064885/writing-quality-vulnerability-reports.html
In order for us to make sure reported vulnerabilities are handled rapidly and effectively, we need you, our community, to provide us with actionable, detailed information. Here’s some basic do’s and don’ts for your security report:
What should be included in a quality security report
- The package name and version where you experienced the vulnerability. Example: marked@1.0.0 or marked@*
- A short description of the vulnerability and its impact. Example: “If a user is able to control input into the function foo then the user is able to execute commands giving the attacker the same access as the user running the application.”
- Details of the environment in which you experienced the vulnerability. Example: “This was found to be exploitable using node.js 6.0.0 on OSX, but was not tested using any other platform or Node.js version.”
- A demonstrable proof of concept or steps to reproduce the same result. This helps the npm Security team efficiently triage the issue (see the example below).
- Any particular references, code snippets, or documents that might help the npm Security team or the maintainer better understand (see the example below).
What should not be reported
- Reports without actionable context are very time-consuming for our team to adequately process. These requests should go to the package maintainer in the form of an issue.
- The output of npm audit - As the npm Security team already knows about these flaws, it’s better to reach out to the maintainer directly to update dependency versions.
- General feature requests
- Stack traces or errors without explanation as to what security impact they have.