-
Notifications
You must be signed in to change notification settings - Fork 11.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency on malicious package #5863
Comments
After reading a few articles about this issue, I don't think that locking dependencies would prevent this case to happen again, except if, each time we push a new version of Looking at dominictarr/event-stream#116, many repositories with
We already discussed this a lot, though it was more than a year ago but since I don't think it would have changed this specific case and because we didn't experience any other dependency issues, my position remains the same. |
I was only saying that a package-lock.json would allow us to lock You're right that a package-lock.json would not protect us from most vulnerabilities. It would help with auditing, however, which I believe has substantial benefit. |
flatmap-stream
is owned by a malicous actor. See here: dominictarr/event-stream#116This repo depends on
flatmap-stream
:If you
npm install
today you'll getflatmap-stream@0.1.2
, which I believe to be safe. However, there's no reason why the malicious maintainer cannot publish a new malicious0.1.3
. Adding apackage-lock.json
file would prevent this.There's also no way to tell if anyone has been exposed to the malicious
flatmap-stream@0.1.1
previously by using Chart.js. It's very likely that our developers have been exposed to this package in the past if they did annpm install
at the time where the latest version offlatmap-stream
was 0.1.1. Had we been usingpackage-lock.json
we would be able to check and take action more easilyI would recommend we adopt
package-lock.json
and stop using unpinned dependencies. @etimberg @simonbrunel @nagix thoughts?The text was updated successfully, but these errors were encountered: