mirrors/axios
2
0
Fork 0
mirror of https://github.com/tenrok/axios.git synced 2026-06-20 20:00:40 +03:00
Code Activity

docs: refine descriptions and mitigations in THREATMODEL.md (#10718)

Browse Source
This commit is contained in:
Jay
2026-04-14 19:11:53 +02:00
committed by GitHub
parent cb7b9ade1b
commit 19e9b4162d
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
THREATMODEL.md
+3 -3
View File
@@ -402,11 +402,11 @@ This is the model that protects **what gets published as `axios` on npm**. A suc
| | | | | |
| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Description** | Attacker with write access force-pushes an existing tag (`v1.15.0`) to point at a malicious commit, or pushes `v1.99.99` to publish out of band. | | **Description** | Attacker with write access force-pushes an existing tag to point at a malicious commit, or pushes `v1.99.99` to publish out of band. |
| **Likelihood** | Low (requires write access - assumed compromised at that point) | | **Likelihood** | Low (requires write access - assumed compromised at that point) |
| **Impact** | High | | **Impact** | High |
| **Mitigations** | • npm rejects re-publishing an existing version - re-tagging `v1.15.0` cannot overwrite the published `1.15.0`. <br>• Provenance attestation records the commit SHA the tag pointed to _at publish time_ - forensically verifiable. <br>• GitHub tag protection rules can prevent tag deletion/force-push. | | **Mitigations** | • npm rejects re-publishing an existing version - re-tagging you cannot overwrite the published `1.15.0`. <br>• Provenance attestation records the commit SHA the tag pointed to _at publish time_ - forensically verifiable. <br>• GitHub tag protection rules can prevent tag deletion/force-push. |
| **Gaps** | • Verify that tag protection is actually enabled on `v*` (repo setting, not visible from the codebase). <br>• A _new_ malicious version (`v1.15.1`) is still publishable by anyone with tag-push rights - this collapses back into T-S3 (account security). | | **Gaps** | A _new_ malicious version (`v1.x.x`) is still publishable by anyone with tag-push rights - this collapses back into T-S3 (account security). |
--- ---