Rename the "arduino-ide-extension" NPM package to be scoped #2396

Xayton · 2024-03-08T16:52:06Z

Describe the request

The Arduino IDE2 repository package.json file references two sub-packages, using the workspaces functionality. Even if these sub-packages are private, their name can be registered online on npmjs.com and any content can be published in it, including malware. If this happens, NPM or Yarn will report that the Arduino IDE2 project contains malware.

See this reproduction example repo here.

Proposed solution:

rename the arduino-ide-extension package (inside this package.json file) to @arduino/arduino-ide-extension making it scoped.
update the code to make sure everything works correctly. There is no need to rename the arduino-ide-extension folder.

Notes:

Arduino owns the @arduino organization on npmjs.com, so this change should block anybody from publishing again a package containing malware.

Arduino IDE version

2.3.2

The text was updated successfully, but these errors were encountered:

Xayton added type: enhancement topic: security labels Mar 8, 2024

per1234 added the topic: infrastructure label Mar 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rename the "arduino-ide-extension" NPM package to be scoped #2396

Rename the "arduino-ide-extension" NPM package to be scoped #2396

Xayton commented Mar 8, 2024 •

edited

Loading

Rename the "arduino-ide-extension" NPM package to be scoped #2396

Rename the "arduino-ide-extension" NPM package to be scoped #2396

Comments

Xayton commented Mar 8, 2024 • edited Loading

Describe the request

Arduino IDE version

Xayton commented Mar 8, 2024 •

edited

Loading