[RRFC] Disallow external dependencies on the npm registry

[ericcornelissen]

Motivation ("The Why")

Package on the npm registry should not be allowed to have "External Dependencies" (i.e. a dependency that is not hosted on the npm registry) because such dependencies do not have the same properties as npm-hosted packages while being nearly invisible to the end user.

For further reference:

• This proposal is based on the research from "Stepping out of Bounds: Security Impact of Allowing Packages on npm to Declare External Dependencies". Based on its analysis, external dependencies are rare on npm as is.

• In the Rust ecosystem, while Cargo allows for external dependencies you are not allowed to publish to crates.io if you depend on an external dependency.

  From the Cargo docs: "crates.io does not allow packages to be published with dependencies on code published outside of crates.io."

Example

There are two big reasons that motivate this change:

1. The external dependency may become unavailable. Unlike npm, which largely ensures (used) packages don't just disappear, external dependencies do not have that guarantee.
2. The external dependency may be changed. Unlike npm, which guarantees that published packages are immutable, external dependencies may be changed at any time. Now, some ways of specifying (e.g. by git commit sha(?)) could be argued to provide sufficient integrity guarantees, but otherwise it requires a lockfile. This is inconsistent with "normal" usage of the npm registry and can break security expectations of users.

How

Current Behaviour

External dependencies are allowed.

Desired Behaviour

Any new package published to the npm registry should be checked for external dependencies and if any are found the publication should be rejected. This should only apply to new publications so as to avoid breaking existing deployments. The npm CLI should consider adding a warning when an external dependency appears in the dependency hierarchy as a "mitigation" for the historical baggage of this feature.

A grace period is probably in order during which attempted publications of packages with external dependencies are not flat out rejected, but the client is only warned about upcoming changes.

References

none

[ericcornelissen]

Any new package published to the npm registry should be checked for external dependencies and if any are found the publication should be rejected.

I believe it should be okay to allow external "devDependencies".