diff mbox series

[3/3] package/nodejs: taint the build when using external modules

Message ID 20231103182745.903344-4-adam.duskett@amarulasolutions.com
State Rejected, archived
Headers show
Series Add tainting support | expand

Commit Message

Adam Duskett Nov. 3, 2023, 6:27 p.m. UTC 
By default, there is no guarantee of reproducibility when a user enables
additional NPM packages. As Yann pointed out the last time this patch series
was submitted, there are several legitimate scenarios where enabling
additional NPM packages is reproducible. However, the
BR2_DISABLE_TAINT_CHECKING option addresses these concerns.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/nodejs/Config.in                | 3 +++
 package/nodejs/nodejs-src/nodejs-src.mk | 1 +
 2 files changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/package/nodejs/Config.in b/package/nodejs/Config.in
index c684f8eb86..80c58b2e94 100644
--- a/package/nodejs/Config.in
+++ b/package/nodejs/Config.in
@@ -74,6 +74,9 @@  config BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL
 	  version), the uglify-js module at 1.3.4, a module from a
 	  filesystem path, and a module from a git repository.
 
+	  Warning:
+	  By default, using this option taints the build!
+
 config BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL_DEPS
 	string "Additional module dependencies"
 	help
diff --git a/package/nodejs/nodejs-src/nodejs-src.mk b/package/nodejs/nodejs-src/nodejs-src.mk
index 3452c93728..d04e0416e9 100644
--- a/package/nodejs/nodejs-src/nodejs-src.mk
+++ b/package/nodejs/nodejs-src/nodejs-src.mk
@@ -242,6 +242,7 @@  NODEJS_SRC_MODULES_LIST= $(call qstrip,\
 #
 ifneq ($(NODEJS_SRC_MODULES_LIST),)
 NODEJS_SRC_DEPENDENCIES += host-nodejs
+NODEJS_TAINTS = YES
 define NODEJS_SRC_INSTALL_MODULES
 	# If you're having trouble with module installation, adding -d to the
 	# npm install call below and setting npm_config_rollback=false can both