You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The company I work for was evaluating this repository and we noticed that the package-lock contains dependency references to unofficial mirrors on huaweicloud.com
Is there a reason for this, or is it unintentional?
Given that dependencies have been a known method of introducing malicious code in the past few years we're concerned that this package is not taking dependency security seriously.
The text was updated successfully, but these errors were encountered:
Hi @unusualbob ,
Thank you for reaching out to us and raising this issue.
We unintentionally used this source. It happens because of a machine's wrong configuration the plugin was released from. We already fixed the configuration, and the upcoming version will point to the official repo.
Hi,
The company I work for was evaluating this repository and we noticed that the package-lock contains dependency references to unofficial mirrors on huaweicloud.com
For example:
appsflyer-cordova-plugin/package-lock.json
Line 9 in d4ca026
It looks that they were pointing at the official location up until a recent rebase at the end of July, here's a previous version of the lock file:
appsflyer-cordova-plugin/package-lock.json
Line 9 in 07fe31c
Is there a reason for this, or is it unintentional?
Given that dependencies have been a known method of introducing malicious code in the past few years we're concerned that this package is not taking dependency security seriously.
The text was updated successfully, but these errors were encountered: