Skip to main content

Unverifiable Dependency


Package installers typically install dependencies from their respective registries based on the name and release version of a specific package from the registry. Dependencies of this kind are verifiable in the sense that there is a reference in the registry itself for that package and version.

Many package installers also support installing directly from other external sources such as git repositories, gist, and URLs. A dependency of this kind is unverifiable in the sense that there is no way to guarantee that requested package from that external location is exactly and always the package intended.


As a general rule, all code from unknown sources ought to be considered with suspicion until the provenance of the code can be established. In this case of naming dependencies by an external reference, unverifiable dependencies introduce risk because of the uncertainty between what the package manifest is requesting and what is actually being delivered.


In the npm ecosystem, the package.json file contains a list of all of the package's dependencies (see the documentation for a complete discussion of the package.json file). npm allows a wide variety of ways to list a package's dependencies, including URLs as dependencies, git URLs, GitHub URLs, and even local paths.

The contrived package tomfoolery@1.0.0 on npm lists "react": "git://" as a dependency. Whatever code is at that location at that particular time is what will be imported as a dependency, and there is no way to guarantee from this reference alone that the intended version of react will be imported.