-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yarn upgrade
replaces custom github repos with actual npm published ones if name happens to match
#2501
Comments
After debugging through the code a bit, I think this is related to the way the command From the docs:
So it looks like what it does is just ignore anything in package.json about this package, and gets the latest version from NPM. This means it no longer knows that the "specified version" in the package.json is actually a custom URL. I think the command I think I could also just run Edit:
|
I opened a pull request which mirrors |
This should be fixed. Please double check. |
@juanca Seems to be fixed for me now, FWIW. |
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
During
yarn install
a custom github URL inpackage.json
will be used to fetch a package.During
yarn upgrade
online NPM package is used, and yarn ignores a custom URL defined inpackage.json
This can be very problematic for organizations that use private github repos, and their repo name happens to align with another existing NPM repo. Or, in the future someone could publish an NPM repo by the same name as your private repo and your build environment may inadvertently download this published package instead of using your private repo.
If the current behavior is a bug, please provide the steps to reproduce.
Add a custom package name that happens to match an actual NPM package, but use a Github URL in your package.json. For example a package named "ui-components" is a private Github repo, but also happens to be an actual NPM package:
Now run
yarn install
and the files from the privategitpro.ttaallkk.top/MyCompany/ui-components
repo will be installed innode_modules
👍Now run
yarn outdated
to check for updates. This reports:This still looks correct so far 👍
Now in an attempt to grab the latest code from that private repo, run:
yarn upgrade ui-components
This will result in Yarn downloading and installing the NPM-published "ui-components" NOT the private repo code listed in the URL. 👎
It also REPLACES the custom github URL in the
package.json
file with:so future updates no longer use my private repo 👎
This actually poses a security risk. Consider the attack: I find out the name of a company's private repo and know that their CI server does a
yarn upgrade
at some point. I could publish a new npm package by that name with malicious code, and their CI server would download and potentially execute it.What is the expected behavior?
yarn upgrade
should attempt to resolve package name to url mapping frompackage.json
file before using the NPM listed URL.yarn upgrade
should leave custom github URL inpackage.json
filePlease mention your node.js, yarn and operating system version.
node: v6.3.0 (installed by
nvm
)yarn: v0.19.1 (installed by
homebrew
)os: maxOS 10.12 Sierra
The text was updated successfully, but these errors were encountered: