Deprecation of v9.2.0, v9.2.1, v10.1.2

[achrinza]

Deprecation of v9.2.0, v9.2.1, v10.1.2

Subscribe to this issue to receive critical updates on this advisory.

Summary

Applies to:

• @achrinza/node-ipc@^9
• @achrinza/node-ipc@^10

Deprecated:

• @achrinza/node-ipc@9.2.0
• @achrinza/node-ipc@9.2.1
• @achrinza/node-ipc@10.1.2

Replacement:

• @achrinza/node-ipc@9.2.2
• @achrinza/node-ipc@10.1.3

Description

Out of an abundance of caution, v9.2.0, v9.2.1, v10.1.2 have been deprecated in favor of v9.2.2 and v10.1.3 as they contained nested transitive production dependencies that are managed by @/riaevangelist (The original author of node-ipc).

The offending transitive development dependencies are:

• @achrinza/node-ipc@9.2.0/v9.2.1/v10.1.2
  • js-queue@2.0.2
    • 2.0.2
      • easy-stack@^1.0.1
        • 1.0.1

v9.2.2 and v10.1.3 resolve this issue by switching js-queue to @node-ipc/js-queue, which depends on a pinned version of easy-stack. There are no functional code changes in v9.2.2 and v10.1.3.

At the time of writing, we have no reason to believe that any of these dependencies had any malicious code. However, this may change in the future and we strongly recommend upgrading the v9 and v10 version range to ^9.2.2 and ^10.1.3 respectively.

References

• @node-ipc/compat contains transitive dependencies managed by @/riaevangelist  node-ipc/node-ipc#2
• chore: switch to @node-ipc/js-queue #16
• chore: switch to @node-ipc/js-queue #17