Closed
Bug 958244
Opened 10 years ago
Closed 10 years ago
Install npm on DXR admin node
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: erik, Assigned: bburton)
Details
(Whiteboard: [change - configuration])
We have some upcoming large npm dependencies I'd like to avoid checking into the source tree. Can we install npm on dxradm.private.phx1.mozilla.com? I spoke with Kendall on IRC earlier about this, and he wasn't sure of RHEL's support for npm, but a yum search on the processor box shows 1.3.6 available. That should do. I'll then use npm-shrinkwrap and write a little hashing validation tool to make sure we're getting the same versions of things each time.
|
Reporter | |
Comment 1•10 years ago
|
||
Actually, there's this lousy "scripts" directive that allows for arbitrary code execution at install time: https://npmjs.org/doc/misc/npm-scripts.html. So mere post-installation hash validation won't work. However, npm caches all downloaded packages in ~/.npm, so we're actually vulnerable to malicious package sources only the first time we fetch them. From then on, everything just comes off the local disk, and nothing even hits the network.
|
||
Updated•10 years ago
|
Whiteboard: [change - configuration]
|
Assignee | |
Updated•10 years ago
|
Assignee: server-ops-webops → bburton
|
|
Assignee | |
Comment 2•10 years ago
|
||
npm has been installed via puppet [root@dxradm.private.phx1 yum.repos.d]# npm --version 1.3.6
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•