diff mbox series

fetch2/npm/npmsw: Disable npm and npmsw fetchers due to security concerns

Message ID 20260121181334.1616926-1-richard.purdie@linuxfoundation.org
State New
Headers show
Series fetch2/npm/npmsw: Disable npm and npmsw fetchers due to security concerns | expand

Commit Message

Richard Purdie Jan. 21, 2026, 6:13 p.m. UTC 
We've been made aware that are security issues within the npm/npmsw fetchers.
The issue is that the code accepts data like checksums from the upstream
servers, rather than verifying it against local data from the recipes. This
means the upstream servers could feed aritrary data into the build.

There have been maintainance issues on these fetchers for a while and despite
asking in multiple forums, we've been unable to find anyone to help fix the
issues. Until that issue is resolved and we can be convinced the fetcher is
secure and modelling best practices for reproduciblity (inc. mirroring), this
patch disables the fetchers. This has been discussed and agreed by the OE TSC.

Parsing will not show errors but the recipes using these fetchers will not be
available. Recipes will be skipped at parsing amd will show an error if a user
tries to build a recipe using them.

[YOCTO #16105]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 lib/bb/fetch2/npm.py   | 5 ++++-
 lib/bb/fetch2/npmsw.py | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py
index e469d667687..15057da7d3f 100644
--- a/lib/bb/fetch2/npm.py
+++ b/lib/bb/fetch2/npm.py
@@ -39,6 +39,7 @@  from bb.fetch2 import URI
 from bb.fetch2 import check_network_access
 from bb.fetch2 import runfetchcmd
 from bb.utils import is_semver
+from bb.parse import SkipRecipe
 
 def npm_package(package):
     """Convert the npm package name to remove unsupported character"""
@@ -150,7 +151,9 @@  class Npm(FetchMethod):
 
     def supports(self, ud, d):
         """Check if a given url can be fetched with npm"""
-        return ud.type in ["npm"]
+        #return ud.type in ["npm"]
+        if ud.type in ["npm"]:
+            raise SkipRecipe("The npm fetcher has been disabled due to security issues and there is maintainer to address them")
 
     def urldata_init(self, ud, d):
         """Init npm specific variables within url data"""
diff --git a/lib/bb/fetch2/npmsw.py b/lib/bb/fetch2/npmsw.py
index 2f9599ee9e2..5cd16ce5d23 100644
--- a/lib/bb/fetch2/npmsw.py
+++ b/lib/bb/fetch2/npmsw.py
@@ -32,6 +32,7 @@  from bb.fetch2.npm import npm_unpack
 from bb.utils import is_semver
 from bb.utils import lockfile
 from bb.utils import unlockfile
+from bb.parse import SkipRecipe
 
 def foreach_dependencies(shrinkwrap, callback=None, dev=False):
     """
@@ -64,6 +65,9 @@  class NpmShrinkWrap(FetchMethod):
     def supports(self, ud, d):
         """Check if a given url can be fetched with npmsw"""
         return ud.type in ["npmsw"]
+        if ud.type in ["npmsw"]:
+            raise SkipRecipe("The npmsw fetcher has been disabled due to security issues and there is maintainer to address them")
+        return False
 
     def urldata_init(self, ud, d):
         """Init npmsw specific variables within url data"""