@lionad/safe-npx 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +38 -1
- package/dist/index.js +5 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -5,12 +5,49 @@
|
|
|
5
5
|
<br>
|
|
6
6
|
</center>
|
|
7
7
|
|
|
8
|
-
##
|
|
8
|
+
## ⚠️ Archived / 项目已归档
|
|
9
|
+
|
|
10
|
+
**This project is archived as of April 2026.**
|
|
11
|
+
|
|
12
|
+
npm v11.10.0+ now provides native protection via `min-release-age` configuration. snpx has served its purpose and is no longer needed.
|
|
13
|
+
|
|
14
|
+
**项目已于 2026 年 4 月归档。**
|
|
15
|
+
|
|
16
|
+
npm v11.10.0+ 已原生支持 `min-release-age` 配置,提供相同的供应链攻击防护。snpx 已完成历史使命,不再需要。
|
|
17
|
+
|
|
18
|
+
### Migration / 迁移指南
|
|
19
|
+
|
|
20
|
+
```bash
|
|
21
|
+
# Uninstall snpx / 卸载 snpx
|
|
22
|
+
npm uninstall -g @lionad/safe-npx
|
|
23
|
+
|
|
24
|
+
# Upgrade npm to latest / 升级 npm 到最新版本
|
|
25
|
+
npm install -g npm@latest
|
|
26
|
+
|
|
27
|
+
# Configure global safety window (in hours) / 配置全局安全窗口(单位:小时)
|
|
28
|
+
echo "min-release-age=7" >> ~/.npmrc
|
|
29
|
+
|
|
30
|
+
# In CI environments / CI 环境中
|
|
31
|
+
# Set NPM_CONFIG_MIN_RELEASE_AGE=7
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
---
|
|
35
|
+
|
|
36
|
+
## Why / 为什么需要 (历史背景)
|
|
9
37
|
|
|
10
38
|
`npx -y pkg@latest` installs the bleeding edge. If that version was just compromised in a supply chain attack, you get owned immediately. **snpx** intercepts `@latest`, bare package names, and version ranges — resolving a safe version based on publish age and a configurable fallback strategy. This gives the security community time to catch malicious releases.
|
|
11
39
|
|
|
12
40
|
`npx -y pkg@latest` 会直接安装最新版本。如果该版本刚被供应链攻击(Supply Chain Attack)篡改,你会立即中招。**snpx** 会拦截 `@latest`、裸包名以及版本范围,根据发布时间和可配置的回退策略(Fallback Strategy)解析出一个安全版本。这为安全社区争取了发现和处置恶意发布的时间窗口。
|
|
13
41
|
|
|
42
|
+
**BEST PRACTICE: update to the latest npm for native protection.**
|
|
43
|
+
|
|
44
|
+
npm v11.10.0+ 原生支持 `min-release-age`,可全局防护所有 npm/npx 调用:
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
npm install -g npm@latest
|
|
48
|
+
echo "min-release-age=7" >> ~/.npmrc
|
|
49
|
+
```
|
|
50
|
+
|
|
14
51
|
## Install / 安装
|
|
15
52
|
|
|
16
53
|
```bash
|
package/dist/index.js
CHANGED
|
@@ -1889,7 +1889,11 @@ async function main() {
|
|
|
1889
1889
|
console.log(version);
|
|
1890
1890
|
return;
|
|
1891
1891
|
}
|
|
1892
|
-
await runNpx([
|
|
1892
|
+
await runNpx([
|
|
1893
|
+
...npxPrefixArgs,
|
|
1894
|
+
`${pkgName}@${version}`,
|
|
1895
|
+
...restArgs
|
|
1896
|
+
]);
|
|
1893
1897
|
}
|
|
1894
1898
|
main().catch((err) => {
|
|
1895
1899
|
console.error(`[snpx] Fatal: ${err.message}`);
|