Release npm_ex 0.6.1

dannote · dannote · commit 65db98c0fd4f · 2026-05-12T14:33:42.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.6.1
+
+- Harden tarball extraction against path traversal and absolute-path entries
+- Preserve install-script metadata in `npm.lock`
+- Warn when dependencies declare ignored lifecycle scripts
+- Document that `npm_ex` does not run package lifecycle hooks automatically, mitigating install-time credential stealers
+
 ## 0.6.0
 
 - Move resolution modules under `NPM.Resolution`: `PackageResolver`, `Exports`, and `Conditional`
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ Resolve, fetch, cache, and link npm packages directly from Mix.
 
 ```elixir
 def deps do
-  [{:npm, "~> 0.4.0"}]
+  [{:npm, "~> 0.6.1"}]
 end
 ```
 
@@ -107,6 +107,12 @@ mix npm.config
 9. Warns about unmet peer dependencies and deprecated packages
 10. Retries failed downloads with exponential backoff
 
+## Supply-chain safety
+
+`npm_ex` does not run package lifecycle hooks automatically. Packages with `preinstall`, `install`, `postinstall`, or `prepare` scripts are still installed, but their hooks are ignored and reported as warnings. Tarball paths are also validated before extraction so package contents cannot escape the cache directory.
+
+This blocks install-time credential stealers that rely on postinstall hooks reading files like `.env` and exfiltrating them during dependency installation.
+
 ## Why `npm.lock` instead of `package-lock.json`?
 
 `npm_ex` is not npm, so it keeps its own lockfile. `package.json` is the shared manifest; `npm.lock` is the reproducibility file for the `npm_ex` installer.
diff --git a/lib/npm.ex b/lib/npm.ex
@@ -318,6 +318,7 @@ defmodule NPM do
       :ok ->
         ms = div(link_us, 1000)
         Mix.shell().info(NPM.DepsOutput.format_summary(map_size(lockfile), ms))
+        warn_ignored_install_scripts(lockfile)
         Mix.shell().info(NPM.DepsOutput.format_lockfile(lockfile))
         :ok
 
@@ -338,7 +339,8 @@ defmodule NPM do
            integrity: info.dist.integrity,
            tarball: info.dist.tarball,
            dependencies: info.dependencies,
-           optional_dependencies: info.optional_dependencies
+           optional_dependencies: info.optional_dependencies,
+           has_install_script: info.has_install_script
          }}
       end
 
@@ -364,7 +366,8 @@ defmodule NPM do
           integrity: info.dist.integrity,
           tarball: info.dist.tarball,
           dependencies: info.dependencies,
-          optional_dependencies: Map.get(info, :optional_dependencies, %{})
+          optional_dependencies: Map.get(info, :optional_dependencies, %{}),
+          has_install_script: Map.get(info, :has_install_script, false)
         })
 
       :error ->
@@ -404,6 +407,20 @@ defmodule NPM do
     end)
   end
 
+  defp warn_ignored_install_scripts(lockfile) do
+    packages =
+      lockfile
+      |> Enum.filter(fn {_name, entry} -> Map.get(entry, :has_install_script, false) end)
+      |> Enum.map_join(", ", fn {name, entry} -> "#{name}@#{entry.version}" end)
+
+    if packages != "" do
+      Mix.shell().info(
+        "npm WARN ignored lifecycle scripts for #{packages}. " <>
+          "npm_ex never runs preinstall/install/postinstall hooks automatically."
+      )
+    end
+  end
+
   defp check_deprecated(name, version, info) do
     case Map.get(info, :deprecated) do
       nil ->
diff --git a/lib/npm/lockfile.ex b/lib/npm/lockfile.ex
@@ -13,7 +13,8 @@ defmodule NPM.Lockfile do
           integrity: String.t(),
           tarball: String.t(),
           dependencies: %{String.t() => String.t()},
-          optional_dependencies: %{String.t() => String.t()}
+          optional_dependencies: %{String.t() => String.t()},
+          has_install_script: boolean()
         }
 
   @type t :: %{String.t() => entry()}
@@ -54,7 +55,8 @@ defmodule NPM.Lockfile do
          integrity: Map.get(info, "integrity", ""),
          tarball: Map.get(info, "tarball", ""),
          dependencies: Map.get(info, "dependencies", %{}),
-         optional_dependencies: Map.get(info, "optional_dependencies", %{})
+         optional_dependencies: Map.get(info, "optional_dependencies", %{}),
+         has_install_script: Map.get(info, "has_install_script", false)
        }}
     end
   end
@@ -109,7 +111,8 @@ defmodule NPM.Lockfile do
          "integrity" => entry.integrity,
          "tarball" => entry.tarball,
          "dependencies" => entry.dependencies,
-         "optional_dependencies" => Map.get(entry, :optional_dependencies, %{})
+         "optional_dependencies" => Map.get(entry, :optional_dependencies, %{}),
+         "has_install_script" => Map.get(entry, :has_install_script, false)
        }}
     end
   end
diff --git a/lib/npm/script_install.ex b/lib/npm/script_install.ex
@@ -78,7 +78,8 @@ defmodule NPM.ScriptInstall do
          integrity: info.dist.integrity,
          tarball: info.dist.tarball,
          dependencies: info.dependencies,
-         optional_dependencies: info.optional_dependencies
+         optional_dependencies: info.optional_dependencies,
+         has_install_script: info.has_install_script
        }}
     end
   end
diff --git a/lib/npm/tarball.ex b/lib/npm/tarball.ex
@@ -60,18 +60,56 @@ defmodule NPM.Tarball do
 
     case :erl_tar.extract({:binary, tgz_data}, [:compressed, :memory]) do
       {:ok, entries} ->
-        Enum.each(entries, &write_entry(&1, dest_dir))
-        {:ok, length(entries)}
+        with {:ok, files} <- safe_entries(entries, dest_dir) do
+          Enum.each(files, &write_entry/1)
+          {:ok, length(files)}
+        end
 
       {:error, reason} ->
         {:error, {:extract, reason}}
     end
   end
 
-  defp write_entry({path, content}, dest_dir) do
-    rel_path = strip_prefix(to_string(path))
-    full_path = Path.join(dest_dir, rel_path)
+  defp safe_entries(entries, dest_dir) do
+    Enum.reduce_while(entries, {:ok, []}, fn {path, content}, {:ok, acc} ->
+      original_path = to_string(path)
+      rel_path = strip_prefix(original_path)
+
+      case safe_path(dest_dir, rel_path) do
+        {:ok, full_path} -> {:cont, {:ok, [{full_path, content} | acc]}}
+        {:error, reason} -> {:halt, {:error, {reason, original_path}}}
+      end
+    end)
+    |> case do
+      {:ok, files} -> {:ok, Enum.reverse(files)}
+      error -> error
+    end
+  end
+
+  defp safe_path(dest_dir, rel_path) do
+    dest = Path.expand(dest_dir)
+    full_path = Path.expand(rel_path, dest)
+
+    cond do
+      rel_path in ["", "."] ->
+        {:error, :unsafe_path}
+
+      unsafe_segments?(Path.split(rel_path)) ->
+        {:error, :unsafe_path}
+
+      not inside_dir?(full_path, dest) ->
+        {:error, :unsafe_path}
+
+      true ->
+        {:ok, full_path}
+    end
+  end
+
+  defp unsafe_segments?(segments), do: Enum.any?(segments, &(&1 in ["..", ""]))
+
+  defp inside_dir?(path, dir), do: path == dir or String.starts_with?(path, dir <> "/")
 
+  defp write_entry({full_path, content}) do
     full_path |> Path.dirname() |> File.mkdir_p!()
     File.write!(full_path, content)
   end
diff --git a/mix.exs b/mix.exs
@@ -1,7 +1,7 @@
 defmodule NPM.MixProject do
   use Mix.Project
 
-  @version "0.6.0"
+  @version "0.6.1"
   @source_url "https://github.com/elixir-volt/npm_ex"
 
   def project do
diff --git a/test/npm/lockfile_test.exs b/test/npm/lockfile_test.exs
@@ -28,6 +28,26 @@ defmodule NPM.LockfileTest do
       assert read_back["lodash"].integrity == "sha512-abc123=="
       assert read_back["lodash"].tarball =~ "lodash-4.17.21.tgz"
       assert read_back["lodash"].dependencies == %{}
+      assert read_back["lodash"].has_install_script == false
+    end
+
+    @tag :tmp_dir
+    test "preserves install script metadata", %{tmp_dir: dir} do
+      path = Path.join(dir, "npm.lock")
+
+      lockfile = %{
+        "native-pkg" => %{
+          version: "1.0.0",
+          integrity: "sha512-abc==",
+          tarball: "https://registry.npmjs.org/native-pkg/-/native-pkg-1.0.0.tgz",
+          dependencies: %{},
+          has_install_script: true
+        }
+      }
+
+      assert :ok = NPM.Lockfile.write(lockfile, path)
+      assert {:ok, read_back} = NPM.Lockfile.read(path)
+      assert read_back["native-pkg"].has_install_script == true
     end
 
     @tag :tmp_dir
diff --git a/test/npm/tarball_test.exs b/test/npm/tarball_test.exs
@@ -85,6 +85,22 @@ defmodule NPM.TarballTest do
       assert {:ok, 1} = NPM.Tarball.extract(tgz, dir)
       assert File.read!(Path.join(dir, "index.js")) == "no prefix"
     end
+
+    @tag :tmp_dir
+    test "rejects paths escaping the destination", %{tmp_dir: dir} do
+      tgz = create_test_tgz(%{"package/../evil.txt" => "owned"})
+
+      assert {:error, {:unsafe_path, "package/../evil.txt"}} = NPM.Tarball.extract(tgz, dir)
+      refute File.exists?(Path.join(Path.dirname(dir), "evil.txt"))
+    end
+
+    @tag :tmp_dir
+    test "rejects absolute paths", %{tmp_dir: dir} do
+      tgz = create_test_tgz(%{"/tmp/npm-ex-evil.txt" => "owned"})
+
+      assert {:error, {:unsafe_path, "/tmp/npm-ex-evil.txt"}} = NPM.Tarball.extract(tgz, dir)
+      refute File.exists?("/tmp/npm-ex-evil.txt")
+    end
   end
 
   describe "Tarball.extract edge cases" do
