-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
package unrightfully marked as malware #4725
Comments
Hi @tlouisse, |
So this advisory is there to prevent people from downloading a malicious package from npm, I suppose? It seems like it's not possible anymore to get malicious content via GHSA-5fx7-hqw3-mg99 now says:
In our company, we have |
Your internal packages should be only behind a scope, one you own publicly - that's the proper solution here. |
Ah, thanks. We thought about that indeed. I hope we can solve it without doing breaking changes, though. It's a package with a lot of consumers and a huge migration cost. That means a lot of false positives for the foreseeable future until everyone has migrated. Would it also be possible to ask ownership from npm and release something (0.0.1 or smth) that would be considered safe? |
There is approximately zero chance of them doing that :-) Changing a package name with no other code changes shouldn't be that disruptive. |
On a project level it is not disruptive, but on a full software landscape (around ~2000 dependents that we want to properly dedupe for performance) including all documentation referring to it, it's not completely trivial... But thanks, if this is our only option, it's worth considering :) |
It's a critical task to prevent supply chain attacks - for any internal packages you have - so I hope you're able to roadmap it. |
Thanks, but my line of reasoning was that the supply chain attacks are prevented by the fact that npm owns the package now and took security measures. Hence I don't understand why it's not possible to update the status of GHSA-5fx7-hqw3-mg99 (I assume this would have been withdrawn for the latest version of a package in case we owned the package on npm and released a security fix?) |
For that specific package, yes, but I mean in general, one should never have an internal package with a name that's publicly owned by somebody else. |
@ljharb @shelbyc Thanks for your support on this. I am the Product Manager for Design System of ING , the topic that we are discussing is a subject that somebody try to harm our company before, it seems they knew what they are doing, they picked the same package and put a vırus on it. Anyway we took action and make npm folks block it. Now github report gives a result for >= version alert which is not also correct, latest package on npm was neutralized by npm and it does not contain a virus any more. So github report is wrong and needs to be corrected. For older versions , yoy are right it should stay there for keeping people safe. For current state it creates problem to a huge corporate since all off our security scans generates false positive result according to this incorrect versioning that contains all versions. Can you help us at least not block all versions but only effected ones? It does not even needed to be accurate , we can block 0<>1 , since latest version on npm is safe technically it does not contain a virus. According to version history 0.0.1-security version and later is safe. I wish you a great day! |
I recommend submitting a name dispute so you may eventually re-use the package name, deprecate it, or unpublish it if criteria is properly satisfied.
I second @shelbyc's comment, the security advisory is used to inform and prevent download of said package. As for now, we should maintain the package with the common security advisory as referred below without any expiration date, making the record persistent unless ownership is transferred for reasons such as name dispute.
Thanks for understanding! |
Hi there,
An npm package called 'ing-web' is unrightfully marked as malware: GHSA-5fx7-hqw3-mg99
However, the malicious code is already removed from the registry for a long time: https://www.npmjs.com/package/ing-web
Can this please be updated?
Thanks in advance!
The text was updated successfully, but these errors were encountered: