New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update read-json #2

Merged
merged 1 commit into from Mar 24, 2016

Conversation

Projects
None yet
5 participants
@zeke
Copy link
Contributor

zeke commented Mar 23, 2016

read-json was killed and revived today with a major version bump. This is an update to that new major version, which I don't think has any code changes.

Once this fix lands we can update the standardize versions of install-if-needed and read-json.

@yoshuawuyts

This comment has been minimized.

Copy link
Collaborator

yoshuawuyts commented Mar 23, 2016

👍

@zeke

This comment has been minimized.

Copy link
Contributor

zeke commented Mar 23, 2016

So the install-if-needed tests are passing with this change, and the new read-json package appears to have the right code, but the new read-json repository is owned by @n-johnson (nj48 on npm), who seems to be on a malicious spree, republishing bunk data over the unpublished names. See substack/provinces#20

@kesla kesla referenced this pull request Mar 23, 2016

Merged

Update read-json #2

@n-johnson

This comment has been minimized.

Copy link

n-johnson commented Mar 23, 2016

Nothing malicious, just making sure a bad actor didn't get the packages and decide to publish malicious code.

I've been in contact with npm, who will be taking back most of the packages later today. However I've updated the most popular modules with their original source (including read-json) in an attempt to prevent hundreds of modules from breaking that were depending on those modules.

@zeke

This comment has been minimized.

Copy link
Contributor

zeke commented Mar 23, 2016

Thanks for checking in, @n-johnson. Happy to hear you're trying to do the right thing.

npm, who will be taking back most of the packages later today

Any idea how they plan to make this happen?

@MylesBorins MylesBorins referenced this pull request Mar 24, 2016

Closed

`left-pad`-pocalypse #128

@n-johnson

This comment has been minimized.

Copy link

n-johnson commented Mar 24, 2016

Any idea how they plan to make this happen?

Not entirely sure, but they've already removed them from my npm account, with the exception of the packages I asked to keep.

Most have been replaced with the security package, for example: https://www.npmjs.com/package/media

@rprieto

This comment has been minimized.

Copy link

rprieto commented Mar 24, 2016

That's good to hear. A lot of us got scared because from what I remembered the take-over packages had no link to a Github repo, no README to say no fear, just a placeholder, and the uploaded content contained a shell script (at least provinces did). But 👍 to you for securing these modules before someone else did something bad with them, and giving them back to npm.

@zeke

This comment has been minimized.

Copy link
Contributor

zeke commented Mar 24, 2016

@mattdesl, what say you?

@mattdesl

This comment has been minimized.

Copy link
Owner

mattdesl commented Mar 24, 2016

I just reached out to npm to see what their plan is on re-publishing the other 200+ modules, as I think it's the only real way to fix this across all my modules (and anyone else's modules who are affected). Let's see what happens.

@mattdesl mattdesl merged commit 22b733a into mattdesl:master Mar 24, 2016

@mattdesl

This comment has been minimized.

Copy link
Owner

mattdesl commented Mar 24, 2016

I merged this one anyways and pushed a patch.

@zeke

This comment has been minimized.

Copy link
Contributor

zeke commented Mar 24, 2016

grazie

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment