Closed
Bug 958244
Opened 10 years ago
Closed 10 years ago
Install npm on DXR admin node
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: erik, Assigned: bburton)
Details
(Whiteboard: [change - configuration])
We have some upcoming large npm dependencies I'd like to avoid checking into the source tree. Can we install npm on dxradm.private.phx1.mozilla.com? I spoke with Kendall on IRC earlier about this, and he wasn't sure of RHEL's support for npm, but a yum search on the processor box shows 1.3.6 available. That should do. I'll then use npm-shrinkwrap and write a little hashing validation tool to make sure we're getting the same versions of things each time.
Reporter | ||
Comment 1•10 years ago
|
||
Actually, there's this lousy "scripts" directive that allows for arbitrary code execution at install time: https://npmjs.org/doc/misc/npm-scripts.html. So mere post-installation hash validation won't work. However, npm caches all downloaded packages in ~/.npm, so we're actually vulnerable to malicious package sources only the first time we fetch them. From then on, everything just comes off the local disk, and nothing even hits the network.
Updated•10 years ago
|
Whiteboard: [change - configuration]
Assignee | ||
Updated•10 years ago
|
Assignee: server-ops-webops → bburton
Assignee | ||
Comment 2•10 years ago
|
||
npm has been installed via puppet [root@dxradm.private.phx1 yum.repos.d]# npm --version 1.3.6
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•