You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the published versions now only have a harmless peacenotwar protestware dependency.
Depending on the threat model, pinning to a known-good version of node-ipc may not be suffice as there are nested, transitive dependencies which are maintained by the same person. Hence, it may be possible for the same maintainer to publish a malicious version of easy-stack, vanilla-test, ansi-colors-es6 or strong-type.
How to Reproduce
Installing the latest version of glee installs transitive dependencies managed by the @/riaevangelist.
Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request. Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.
Describe the bug
Currently, this framework has a direct dependency on
node-ipc@^10.0.1
. Considering the recent developments of thenode-ipc
maintainer publishing malicious versions, are there any plans to switch to a fork?Currently, the published versions now only have a harmless
peacenotwar
protestware dependency.Depending on the threat model, pinning to a known-good version of
node-ipc
may not be suffice as there are nested, transitive dependencies which are maintained by the same person. Hence, it may be possible for the same maintainer to publish a malicious version ofeasy-stack
,vanilla-test
,ansi-colors-es6
orstrong-type
.How to Reproduce
Installing the latest version of
glee
installs transitive dependencies managed by the @/riaevangelist.Expected behavior
Switch to a clean fork of
node-ipc
.Some available forks that I'm aware of:
@achrinza/node-ipc
- My own fork@node-ipc/node-ipc
- Another fork with new featuresThe text was updated successfully, but these errors were encountered: