Use a blacklist for bad packages

This addresses the primary concern in https://github.com/jsdelivr/jsdelivr/issues/13136
2016-08-25 12:47:13 -06:00 · 2016-08-25 12:47:13 -06:00 · e8b0857f11
parent a494d93272
commit e8b0857f11
4 changed files with 9 additions and 1 deletions
--- a/PackageBlacklist.json
+++ b/PackageBlacklist.json
@ -0,0 +1,3 @@
+{
+  "goodjsproject": true
+}
--- a/modules/client/components/About.md
+++ b/modules/client/components/About.md
@ -41,6 +41,10 @@ The goal of npmcdn is to provide a hassle-free CDN for npm package authors. It's

 npmcdn is not affiliated with or supported by npm, Inc. in any way. Please do not contact npm for help with npmcdn.

+### Abuse
+
+npmcdn blacklists some packages to prevent abuse. If you find a malicious package on npm, please take a moment to add it to [our blacklist](https://github.com/mjackson/npmcdn/blob/master/PackageBlacklist.json)!
+
 ### Feedback

 If you think this is useful, I'd love to hear from you. Please reach out to [@mjackson](https://twitter.com/mjackson) with any questions/concerns.
--- a/modules/server/ServerConfig.js
+++ b/modules/server/ServerConfig.js
@ -14,3 +14,4 @@ export const bowerBundle = process.env.BOWER_BUNDLE || '/bower.zip'
 export const redirectTTL = process.env.REDIRECT_TTL || 500
 export const autoIndex = !process.env.DISABLE_INDEX
 export const redisURL = process.env.REDIS_URL
+export const blacklist = require('../../PackageBlacklist')
--- a/package.json
+++ b/package.json
@ -36,7 +36,7 @@
    "json-loader": "^0.5.4",
    "markdown-loader": "^0.1.7",
    "morgan": "^1.7.0",
-    "npm-http-server": "^3.4.0",
+    "npm-http-server": "^3.6.0",
    "on-finished": "^2.3.0",
    "postcss-loader": "^0.9.1",
    "react": "^15.1.0",