Hello all, As you may have seen in security news announcements/websites, there was a widespread npm supply chain attack that occurred yesterday which impacted 20+ widely used npm packages.
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html *At this time, DSpace 7.x - 9.x are unaffected by these compromised npm packages. *While some of the impacted npm packages are used by DSpace, no DSpace release uses any of the compromised versions of those packages. We also pin the version of all installed npm packages in our lock file (yarn.lock for 7.x-8.x or package-lock.json for 9.x) to ensure an unexpected package update doesn't occur. *That said, we will continue to monitor the situation in case additional compromised packages are announced.* If your DSpace site has installed additional or custom npm packages, we highly recommend checking your "node_modules" directory and/or lock file (yarn.lock for 7.x-8.x or package-lock.json for 9.x) to verify you are not using any of the compromised versions of these npm packages. If you have any questions, please let us know. If you'd like to discuss any security concerns privately, you may also contact the Committers via the email address security [at] dspace.org Tim Donohue (on behalf of the DSpace Committers) Technical Lead, DSpace -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/dspace-community/f6d32ff1-3207-4fd2-ab2e-9922ad523d3cn%40googlegroups.com.
