fbjs > ua-parser-js@0.7.29: this package has been hijacked #464
Comments
ttahmouch
pushed a commit
to ttahmouch/gutenberg
that referenced
this issue
Oct 23, 2021
…cause the author didn't have 2FA enabled. I think that `npm` dependency was targeted because it's one of the more popular dependencies and the attacker was leveraging it for crypto mining and environment stealing. I noticed a few of our transitive dependencies depend on `"ua-parser-js": "^0.7.x"` in `gutenberg/trunk` (and probably other repositories). Luckily, it's currently locked to `0.7.[23|28]` in `package-lock.json`, but it may just be a matter of time before an `npm update` inadvertently updates the lock file.
0. If it is feasible, it looks like we may be able to leverage the `package.json` to only resolve `"resolutions": { "**/ua-parser-js": "0.7.28" }` from all transitive dependencies in the meantime. That is what is done in this commit.
1. It doesn't appear that `@types/ua-parser-js` is resolving to `0.7.28`. I'm unsure at the moment if it is even being used, and what dependency would even need the TypeScript types since presumably all of them should be exporting JavaScript modules that don't need compilation(?). Does someone else possibly know if the types are used, or if they even need to match the version of their counterpart JavaScript module?
2. Presumably, we'd want to remove the `resolutions` field from the `package.json` when `appium` and `fbjs` bump their, or transitive, `package.json`s to `^0.7.30`.
**Having written all of this, it looks like [`npmjs.org` revoked `0.7.29`](https://www.npmjs.com/package/ua-parser-js) from even being available for download and `0.7.30` and `0.8.1` were both published on October 22, 2021. So it likely won't cause future issues because it won't even be possible to download the dependency, but some people may have had `0.7.29` on their machines and may have been compromised.**
---
[Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js WordPress#536](faisalman/ua-parser-js#536)
[Issue Comment](faisalman/ua-parser-js#536 (comment))
[fbjs > ua-parser-js@0.7.29: this package has been hijacked WordPress#464](facebook/fbjs#464)
```
$ npm ls ua-parser-js
gutenberg@11.7.0-rc.1 /Users/ttahmouch/Desktop/src/gutenberg
├─┬ @wordpress/react-native-editor@1.63.0 -> /Users/ttahmouch/Desktop/src/gutenberg/packages/react-native-editor
│ ├─┬ UNMET PEER DEPENDENCY react-native-gesture-handler@1.10.1-wp-3
│ │ └─┬ fbjs@3.0.0
│ │ └── ua-parser-js@0.7.28
│ └─┬ react-native-reanimated@1.9.0-wp-1
│ └─┬ fbjs@1.0.0
│ └── ua-parser-js@0.7.28 deduped
└─┬ appium@1.20.2
└─┬ appium-base-driver@7.4.0
└─┬ webdriverio@6.10.11
└─┬ devtools@6.10.11
└── ua-parser-js@0.7.23
```
7 tasks
|
3.0.1 and 0.8.18 have been published |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version 0.7.29 of ua-parser.js has been hijacked by malicious code. Please bump the dependency version to a non-compromised version. See: faisalman/ua-parser-js#536
The text was updated successfully, but these errors were encountered: