Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-129670

Prefix all package.json "name" fields with "@liferay/" named scope

    Details

      Description

      This is a "defense in depth" countermeasure to avoid dependency confusion attacks as described here:

      https://github.com/liferay/liferay-frontend-projects/blob/master/guidelines/general/security/dependency_confusion.md

      This complements the work that we previously did of registering all existing package names, and work that we will do in the future of setting up a lint to make sure we never add any more packages without the scope.

      For an example change, see:

      https://github.com/liferay-frontend/liferay-portal/pull/813

      Note that these changes can be quite large, because you have to change the name and then update all of the import statements. Now "frontend-js-react-web" was a particularly bad example because it is used all over the place, so most of the other modules should be quite a bit easier, but I still think we should probably divide this up into smaller PRs to avoid running into rebase/merge-conflict hell. I am not creating subordinate tasks for this, but you should feel free to do.

      Don't forget to update our imports configuration either:

      https://github.com/liferay/liferay-portal/blob/538d468078c7c79d74d8feeba1e5605c09a9a2d5/modules/npmscripts.config.js#L31-L194

       

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            greg.hurrell Greg Hurrell (Inactive)
            Recent user:
            Greg Hurrell (Inactive)
            Participants of an Issue:
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Packages

                Version Package