Thanks for the alert about this Antranig. It is probably a good time to setup two-factor authentication for our npm accounts, for those that haven’t already. https://docs.npmjs.com/getting-started/using-two-factor-authentication
Thanks Justin On July 13, 2018 at 8:03:11 AM, Antranig Basman ( [email protected]) wrote: Our project policy has for some time been to only permit exact versions to appear in project dependencies listed in package.json - this is at odds with most industry recommendations, and also the action of several automated tools, to allow open semver ranges of the form "~3.7.1". As it turns out, yesterday a virus was distributed exploiting exactly this facility - written up at https://github.com/eslint/eslint-scope/issues/39 , this involved compromise of the npm credentials of the maintainer of a widely used package for linting to upload a corrupt version to the package registry with only a minor version update. This is not a package that we used, but it is one that we might have used quite easily, and had our policy not been in place we would have been exposed to the exploit (which in this case was a rather clumsy and harmless one, but you never know). Our code review policies ensure that only fixed versions of the form "3.7.1" appear in our dependencies, so do be vigilant to ensure any ranges don't slip through. Note that problems of this kind could affect non-runtime dependencies such as devDependencies used for linting tasks of this kind. Cheers, Antranig. _______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
_______________________________________________ Architecture mailing list [email protected] https://lists.gpii.net/mailman/listinfo/architecture
