Skip to main content
Version: 10.x

缓解供应链攻击

有时 npm 软件包会被入侵并发布恶意软件。幸运的是,像 套接字Snyk合气道 这样的公司可以及早检测到这些受损软件包。npm 注册表通常会在数小时内删除受影响的版本。然而,在恶意软件发布和检测到之间总会存在一段时间,在此期间你可能会受到攻击。幸运的是,你可以使用 pnpm 采取一些措施来最大限度地降低风险。

¥Sometimes npm packages are compromised and published with malware. Luckily, there are companies like Socket, Snyk, and Aikido that detect these compromised packages early. The npm registry usually removes the affected versions within hours. However, there is always a window of time between when the malware is published and when it is detected, during which you could be exposed. Fortunately, there are some things you can do with pnpm to minimize the risks.

从历史上看,大多数受感染的包都使用 postinstall 脚本在安装后立即运行代码。为了缓解这种情况,pnpm v10 禁用了依赖中 postinstall 脚本的自动执行。虽然可以使用 dangerouslyAllowAllBuilds 全局重新启用它们,但我们建议仅明确列出受信任的依赖。这样,如果依赖过去不需要构建,那么在发布了受感染的版本时,它就不会突然运行恶意脚本。尽管如此,我们仍建议你在更新包含 postinstall 脚本的受信任软件包(例如 它可能会被攻破)时务必谨慎。

¥Historically, most compromised packages have used postinstall scripts to run code immediately upon installation. To mitigate this, pnpm v10 disables the automatic execution of postinstall scripts in dependencies. Although there is a setting to re-enable them globally using dangerouslyAllowAllBuilds, we recommend explicitly listing only trusted dependencies. This way, if a dependency did not require a build in the past, it won't suddenly run a malicious script if a compromised version is published. Still, we recommend being cautious when updating a trusted package that has a postinstall script, as it might get compromised.

降低安装受损软件包风险的另一种方法是延迟依赖的更新。由于恶意软件通常会被快速检测到,因此将更新延迟 24 小时很可能会阻止你安装错误的版本。minimumReleaseAge 设置定义了版本发布后,pnpm 安装该版本之前必须经过的最少分钟数。例如,将其设置为 1440 以等待一天,或设置为 10080 以等待一周后再安装新版本。

¥Another way to reduce the risk of installing compromised packages is to delay updates to your dependencies. Since malware is usually detected quickly, delaying updates by 24 hours will most likely prevent you from installing a bad version. The minimumReleaseAge setting defines the minimum number of minutes that must pass after a version is published before pnpm will install it. For example, set it to 1440 to wait one day, or 10080 to wait one week before installing a new version.

毋庸置疑,你应该始终使用锁定文件锁定依赖。将锁定文件提交到存储库以避免意外更新。

¥It goes without saying that you should always lock your dependencies with a lockfile. Commit your lockfile to your repository to avoid unexpected updates.