The npm blog has been discontinued.
fixing a bearer token vulnerability
firstname.lastname@example.org (npm LTS) and
email@example.com were released to
latest. Among other improvements, these fix a vulnerability that could cause the unintentional leakage of bearer tokens.
Here are details on this vulnerability and how it affects you.
How to update npm
An up to date npm is the most secure npm. Update npm to get this patch, as well as other patches:
npm install npm@latest -g
Think you’re at risk? Generate a new bearer token
If you believe that your bearer token may have been leaked, invalidate your current npm bearer tokens and rerun
npm login to generate new tokens. Keep in mind that this may cause continuous integration builds in services like Travis to break, in which case you’ll need to update the tokens in your CI server’s configuration.
Details of the vulnerability
Since 2014, npm’s registry has used HTTP bearer tokens to authenticate requests from the npm’s command-line interface. A design flaw meant that the CLI was sending these bearer tokens with every request made by logged-in users, regardless of the destination of their request. (The bearers only should have been included for requests made against a registry or registries used for the current install.)
An attacker could exploit this flaw by setting up an HTTP server that could collect authentication information, then use this authentication information to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.
With the fixes we’ve released, the CLI will only send bearer tokens with requests made against a registry.
Will this break my current setup?
npm’s CLI team believes that the fix won’t break any existing registry setups. Due to the large number of registry software suites out in the wild, though, it’s possible our change will be breaking in some cases.
If so, please file an issue describing the software you’re using and how it broke. Our team will work with you to mitigate the breakage.
Thanks to the community
Thanks to Mitar, Will White & the team at Mapbox, Max Motovilov, and James Taylor for reporting this vulnerability to npm. You can learn more about npm’s security policy on our security page.
Node.js has also posted about this disclosure. You can read that here.