feat!: refuse to download unverified downloads #548
+34
−32
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For the most common use case where a Corepack user interacts with an already-setup-for-Corepack project, this PR doesn't change anything, the project would have a
"packageManager"
field that includes a hash to validate the download.However, for cases when there are no hash defined there or in the CLI command (
corepack [email protected] …
/corepack up
/corepack use [email protected]
), we need another way to validate the download. For downloads from the npm registry, we verify using the ECDSA signature provided in the package metadata. For package manager that are not downloaded from the npm registry (i.e. Yarn Berry), the download is only protected by TLS, which is pretty good, but not as good.This change is going to be disruptive to Yarn Berry users. I think the Yarn team can mitigate by either:
Fixes: #495