New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY-ISSUE: node_module dependency "ua-parser-js" is hijacked by malware #5769
Comments
@alex-drocks Maybe mark as |
This came up in #infrasec-random as a security vulnerability. See the [Slack thread here for more context][slack] [slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500 See related security announcements here: - faisalman/ua-parser-js#536 - facebook/docusaurus#5769 Co-authored-by: Felipe Lee <felipe@truss.works>
the [Slack thread there for more context][slack] 馃敀. [slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500 See related security announcements here: - faisalman/ua-parser-js#536 - facebook/docusaurus#5769 Co-authored-by: Felipe Lee <felipe@truss.works>
This came up in Truss #infrasec-random as a security vulnerability. See the [Slack thread there for more context][slack] [slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500 See related security announcements here: - faisalman/ua-parser-js#536 - facebook/docusaurus#5769 Co-authored-by: Felipe Lee <felipe@truss.works>the [Slack thread there for more context][slack] 馃敀. [slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500 See related security announcements here: - faisalman/ua-parser-js#536 - facebook/docusaurus#5769 Co-authored-by: Felipe Lee <felipe@truss.works>
This came up in Truss #infrasec-random as a security vulnerability. See the [Slack thread there for more context][slack] [slack]: https://trussworks.slack.com/archives/C5B2EAX96/p1634928729001500 See related security announcements here: - faisalman/ua-parser-js#536 - facebook/docusaurus#5769 Co-authored-by: Felipe Lee <felipe@truss.works>
Looks like this security vulnerability in our transitive dependency |
thanks for looking at the issue. Please do not close it yet. The beta-8 is still linked to the issue. I really suggest bumping out of the compromised versions range of ua-parser-js even if those packages were removed at the source. It is a major security issue not a simple potential problem. I tried to reinstall beta-8 a few minutes ago and it does not install properly. It cannot start the dev server. There is still dust falling down around the issue. It should be visible. |
The malicious versions had been removed from the NPM registry. The versions should now resolve to |
Good to know. Thank you for checking. In my case the install failed but it was not a fresh install (its an active project which was at beta-6) |
Expo has a good write-up on this: |
馃悰 Bug Report
ua-parser-js version 0.7.29 and higher contain malware
faisalman/ua-parser-js#536 (comment)
Prerequisites
npm run clear
oryarn clear
command.rm -rf node_modules yarn.lock package-lock.json
and re-installing packages.Description
one of the dependency installed with npm install of the latest docusaurus version was hijacked by a malware executable file. See above mentionned github issue link where you will get more details.
The text was updated successfully, but these errors were encountered: