-
Notifications
You must be signed in to change notification settings - Fork 298
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GHSA-w687-f44x-x42j false positive? #419
Comments
I suppose this might be related: https://www.npmjs.com/package/com.unity.modules.audio If I had to hazard a guess, someone uploaded an infected package to npm with the exact same name of the package from upm (Unity Package Manager) in an attempt to accidentally have someone download from npm rather than upm. Since Unity borrowed most of the syntax (including However, I agree; additional clarification or confirmation on this would be greatly appreciated. Edit: This seems to not be limited to just one unity-related advisory:
|
Post processing got flagged, too. GHSA-3x2r-7cgg-82q2 (com.unity.postprocessing) |
com.unity.modules.physics GHSA-pm97-j6q8-376p got flagged swell Is any action required when everything has been loaded via unity hub / unity package manager? |
Guess it's a similar issue here? GHSA-fw55-8gwc-gf65 Have the first one installed but got a dependabot alert about the second one. |
Do Unity packages ever auto-update? It looks like the malicious com.unity.textmeshpro (GHSA-cvgg-5542-9692) was only published 10 months ago, so I'm assuming that I'm safe since I haven't opened my Unity project file since then. |
Apologies for the late reply on this thread, but for clarity what's happening is that malware is being uploaded to npm. These advisories are for the packages on npm and not for the unity packages. We have a known issue with dependabot where unity We suspect the malware is being uploaded to npm to squat the unity package names in the hopes that users also mix up npm and unity See also: #516 |
Hey all 👋 Quick update on this. I'm gonna close this issue out as we have just recently merged in a fix for this issue. If you see more erroneous alerts please feel free to reopen this issue or to make a new one 👍 |
We received a dependabot alert about this advisory:
GHSA-w687-f44x-x42j
It's very strange, because this isn't an NPM package - it's a built-in element of the Unity game engine and is referenced from their "package.json" manifest files (not related to NPM).
Are there any more details about this advisory and if it is indeed an issue with Unity packages?
Thanks for any insight!
The text was updated successfully, but these errors were encountered: