package-lock not pointing at official npm sources

[unusualbob]

Hi,

The company I work for was evaluating this repository and we noticed that the package-lock contains dependency references to unofficial mirrors on huaweicloud.com

For example:

appsflyer-cordova-plugin/package-lock.json

Line 9 in d4ca026

"resolved": "https://repo.huaweicloud.com/repository/npm/balanced-match/-/balanced-match-1.0.2.tgz",

It looks that they were pointing at the official location up until a recent rebase at the end of July, here's a previous version of the lock file:

appsflyer-cordova-plugin/package-lock.json

Line 9 in 07fe31c

"resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",

Is there a reason for this, or is it unintentional?

Given that dependencies have been a known method of introducing malicious code in the past few years we're concerned that this package is not taking dependency security seriously.

[pazlavi]

Hi @unusualbob ,
Thank you for reaching out to us and raising this issue.

We unintentionally used this source. It happens because of a machine's wrong configuration the plugin was released from. We already fixed the configuration, and the upcoming version will point to the official repo.