youys
/
website
Not watched
1
0
Fork 0
Code
Releases 0 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
903 kB
17 Download
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
website/_posts/2017-02-24-cloudflare-state...

2017-02-24-cloudflare-statement.md 2.3 kB
Raw Permalink Normal View History

init
2 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445 
  1. ---

  2. layout     : post

  3. title      : "Cloudflare security incident and impact on Yarn users"

  4. author     : Sebastian McKenzie

  5. author_url : "https://twitter.com/sebmck"

  6. date       : 2017-02-24 14:00:00

  7. categories : announcements

  8. share_text : "Yarn statement on Cloudflare security incident"

  9. ---

  10. 

  11. Yarn uses its own proxy to the npm registry in order to allow us to experiment

  12. with the way the Yarn client works and allow optimizations in the future around

  13. how packages are resolved. This registry is used by all Yarn users by default.

  14. 

  15. In order to do this we use the popular service, Cloudflare, which is used by

  16. thousands of companies and who had offered to work with us to make Yarn installs

  17. faster globally.

  18. 

  19. Recently it was [reported](https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/)

  20. that Cloudflare had a serious bug that was leading to requests from other websites

  21. being leaked into HTTP responses.

  22. 

  23. When it comes to registry authentication, the Yarn client differs from the npm

  24. client in that when we perform authentication we do not store the resulting token

  25. and invalidate it after it's used.

  26. 

  27. However, Yarn still allows you to login with your npm account to perform actions

  28. such as publishing and downloading private packages. Out of the 70 million requests

  29. performed daily we only get 10-30 requests that involve registry authentication.

  30. This means that for these requests there was the possibility of user passwords

  31. being leaked.

  32. 

  33. **Since the Cloudflare announcement we've been in contact and have been assured

  34. that Yarn has not been affected and no Yarn users data has been leaked. Even with

  35. this assurance we'd recommend that if you're one of those 30 people a day using Yarn

  36. for registry authentication that you reset your password as a precautionary measure.**

  37. 

  38. As a result of this we're evaluating our security policy and have created a new email

  39. address [security@yarnpkg.com](mailto:security@yarnpkg.com) that can be used to report

  40. security vulnerabilities without going through the public issue tracker. We're also in

  41. the process of setting up a HackerOne account and will make an announcement when this

  42. is available.

  43. 

  44. We'd like to apologize for this disruption and want to reaffirm our commitment to security

  45. and transparency in cases like these.

js yarn包管理组件依赖分析

Contributors (1)
All