堆栈内存溢出
  简体   繁体   English

Gemfury 是否可以防止依赖混淆?

[英]Does Gemfury protect against dependency confusion?

 原文  2021-02-10 16:05:51       gem-fury

问题描述

Given Alex Birsan's revelation that he was able to run code internally within major private companies via dependency confusion (uploading packages to a public repo with the same name as a company's private/internal package, but with a higher version number), does Gemfury have protections against this?鉴于 Alex Birsan 透露他能够通过依赖性混淆在主要私营公司内部运行代码(将包上传到与公司的私有/内部 package 同名的公共存储库,但版本号更高),Gemfury 是否有保护反对这个?

I know the blended index goes a long way because all dependencies will be pulled from the Gemfury repo first if applicable, but does this include version checks?我知道混合索引有很长的路要走,因为如果适用,所有依赖项都将首先从 Gemfury 存储库中提取,但这是否包括版本检查? For example: if my Gemfury repo contains package A with version 1.1 and the public repo contains package A with version 1.2, and my package.json is set to pull the package with the highest minor number, is Gemfury smart enough to pull version 1.1 from my local repo instead of 1.2 from the public repo? For example: if my Gemfury repo contains package A with version 1.1 and the public repo contains package A with version 1.2, and my package.json is set to pull the package with the highest minor number, is Gemfury smart enough to pull version 1.1 from我的本地仓库而不是来自公共仓库的 1.2?

1 个解决方案

解决方案1
 1 已采纳  2021-02-23 14:44:33

The answer is dependent on the package manager.答案取决于 package 管理器。 For package managers that do multi-repo resolution on the client side, this will be dependent on the implementation of the package manager.对于在客户端执行多 repo 解析的 package 管理器,这将取决于 package 管理器的实现。 For some, you can explicitly specify the source for each dependency, which avoids repo confusion.对于某些人,您可以显式指定每个依赖项的来源,从而避免 repo 混淆。 Given Alex Birsan's revelation, various package managers are addressing this individually.鉴于 Alex Birsan 的启示,各种 package 经理正在单独解决这个问题。

As far as Gemfury's blending indexes for npm and Go Modules, the blending is done at the package level, so if a named package exists in your private account, only private versions are surfaced to the client for that package. As far as Gemfury's blending indexes for npm and Go Modules, the blending is done at the package level, so if a named package exists in your private account, only private versions are surfaced to the client for that package. This avoids versions in the public index interfering with a private package.这避免了公共索引中的版本干扰私有 package。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 GemFury包的Python setup.py依赖关系链接 - Python setup.py dependency links for GemFury packages 在gemfury上上传公共软件包 - Upload public packages on gemfury Gemfury在.gitignore中时会从包中删除文件夹 - Gemfury omits folder from package when it is in .gitignore 避免 python 中的依赖混淆 - Avoiding dependency confusion in python 如何将 Gemfury 作为私有 npm 注册表与 Yarn 结合使用? - How to use Gemfury as a private npm registry in conjunction with Yarn? 403 请求安装私有 gemfury 包时 - 403 when requesting private gemfury package for install 使用标签将 npm 包发布到 Gemfury 注册表? - Publish npm package to a Gemfury registry with tag? 如何配置GitLab将存储库镜像到Gemfury? - How do I configure GitLab to mirror my repositories to Gemfury? 在 gemfury 中覆盖/强制推送现有的包版本 - Overwrite/force push an existing package version in gemfury 如何在CircleCI中安全地使用Gemfury令牌? - How do I use Gemfury tokens securely in CircleCI?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM