Skip to main content
Version: 10.x

缓解供应链攻击

有时 npm 软件包会被入侵并发布恶意软件。幸运的是,像 SocketSnykAikido 这样的公司可以及早检测到这些受损软件包。npm 注册表通常会在数小时内删除受影响的版本。然而,在恶意软件发布和检测到之间总会存在一段时间,在此期间你可能会受到攻击。幸运的是,你可以使用 pnpm 采取一些措施来最大限度地降低风险。

¥Sometimes npm packages are compromised and published with malware. Luckily, there are companies like Socket, Snyk, and Aikido that detect these compromised packages early. The npm registry usually removes the affected versions within hours. However, there is always a window of time between when the malware is published and when it is detected, during which you could be exposed. Fortunately, there are some things you can do with pnpm to minimize the risks.

阻止风险较高的安装后脚本

¥Block risky postinstall scripts

从历史上看,大多数受感染的包都使用 postinstall 脚本在安装后立即运行代码。为了缓解这种情况,pnpm v10 禁用了依赖中 postinstall 脚本的自动执行。虽然可以使用 dangerouslyAllowAllBuilds 全局重新启用它们,但我们建议仅明确列出受信任的依赖。这样,如果依赖过去不需要构建,那么在发布了受感染的版本时,它就不会突然运行恶意脚本。尽管如此,我们仍建议你在更新包含 postinstall 脚本的受信任软件包(例如 它可能会被攻破)时务必谨慎。

¥Historically, most compromised packages have used postinstall scripts to run code immediately upon installation. To mitigate this, pnpm v10 disables the automatic execution of postinstall scripts in dependencies. Although there is a setting to re-enable them globally using dangerouslyAllowAllBuilds, we recommend explicitly listing only trusted dependencies. This way, if a dependency did not require a build in the past, it won't suddenly run a malicious script if a compromised version is published. Still, we recommend being cautious when updating a trusted package that has a postinstall script, as it might get compromised.

延迟依赖更新

¥Delay dependency updates

降低安装受损软件包风险的另一种方法是延迟依赖的更新。由于恶意软件通常会被快速检测到,因此将更新延迟 24 小时很可能会阻止你安装错误的版本。minimumReleaseAge 设置定义了版本发布后,pnpm 安装该版本之前必须经过的最少分钟数。例如,将其设置为 1440 以等待一天,或设置为 10080 以等待一周后再安装新版本。

¥Another way to reduce the risk of installing compromised packages is to delay updates to your dependencies. Since malware is usually detected quickly, delaying updates by 24 hours will most likely prevent you from installing a bad version. The minimumReleaseAge setting defines the minimum number of minutes that must pass after a version is published before pnpm will install it. For example, set it to 1440 to wait one day, or 10080 to wait one week before installing a new version.

使用 trustPolicy 强制信任

¥Enforce trust with trustPolicy

为了进一步保护你的供应链,pnpm 还支持 trustPolicy 设置。设置为 no-downgrade 时,如果软件包的信任级别相比之前的版本有所降低(例如,该软件包之前由受信任的发布者发布,但现在只有来源信息或没有信任证明),则此设置将阻止安装该软件包。这有助于你避免安装可能已被入侵或可信度较低的版本。

¥To further protect your supply chain, pnpm also supports a trustPolicy setting. When set to no-downgrade, this setting will prevent installation of a package if its trust level has decreased compared to previous releases (for example, if it was previously published by a trusted publisher but now only has provenance or no trust evidence). This helps you avoid installing potentially compromised or less trustworthy versions.

如果你需要允许特定软件包或版本绕过信任策略检查,可以使用 trustPolicyExclude 设置。这对于已知软件包可能不符合信任要求但仍然可以安全使用的情况非常有用。

¥If you need to allow specific packages or versions to bypass the trust policy check, you can use the trustPolicyExclude setting. This is useful for known packages that may not meet the trust requirements but are still safe to use.

使用 lockfile

¥Use a lockfile

毋庸置疑,你应该始终使用锁定文件锁定依赖。将锁定文件提交到存储库以避免意外更新。

¥It goes without saying that you should always lock your dependencies with a lockfile. Commit your lockfile to your repository to avoid unexpected updates.