[Question] Malware in com.google.external-dependency-manager?

[Nezz]

[READ] For Firebase Unity SDK question, please report to Firebase Unity Sample

Once you've read this section and determined that your issue is appropriate for this repository, please delete this section.

[REQUIRED] Please fill in the following fields:

• Unity editor version: N/A
• External Dependency Manager version: N/A
• Source you installed EDM4U: Unity Package Manager
• Features in External Dependency Manager in use: N/A
• Plugins SDK in use: N/A
• Platform you are using the Unity editor on: N/A

[REQUIRED] Please describe the question here:

We received the following security advisory:
GHSA-8h79-4gqv-44x8

Is this valid or a false positive?

[chkuang-g]

@Nezz

Thank you for reporting this.

First of all, I think this alert is for packages hosted on npm and we never officially push EDM4U to npm before.
I found these two packages:
https://www.npmjs.com/package/com.google.external-dependency-manager
https://www.npmjs.com/package/@playwind/com.google.external-dependency-manager
They are very likely published by third-party. I would not recommend to download packages from this channel unless you trust the publisher and accept the risk. The proper channel to download EDM4U is through this repo, or through Google API for Unity.

Secondly, it seems like this Github advisory database has a number of false-positive cases. github/advisory-database#419

In conclusion, if you are using the EDM4U from this repo, Google API for Unity or those included as part of Google SDKs, you should be good.

Does this answer your question?

[Nezz]

Thank you, that's the conclusion we came to as well.