0

Given Alex Birsan's revelation that he was able to run code internally within major private companies via dependency confusion (uploading packages to a public repo with the same name as a company's private/internal package, but with a higher version number), does Gemfury have protections against this?

I know the blended index goes a long way because all dependencies will be pulled from the Gemfury repo first if applicable, but does this include version checks? For example: if my Gemfury repo contains package A with version 1.1 and the public repo contains package A with version 1.2, and my package.json is set to pull the package with the highest minor number, is Gemfury smart enough to pull version 1.1 from my local repo instead of 1.2 from the public repo?

yagni
  • 1,160
  • 13
  • 15

1 Answers1

1

The answer is dependent on the package manager. For package managers that do multi-repo resolution on the client side, this will be dependent on the implementation of the package manager. For some, you can explicitly specify the source for each dependency, which avoids repo confusion. Given Alex Birsan's revelation, various package managers are addressing this individually.

As far as Gemfury's blending indexes for npm and Go Modules, the blending is done at the package level, so if a named package exists in your private account, only private versions are surfaced to the client for that package. This avoids versions in the public index interfering with a private package.

Michael
  • 1,139
  • 11
  • 11