Information about how npm handles malicious versions of otherwise benign packages #438
Comments
|
If we determine a specific version of a package is malicious, and the package has adoption and generally was useful, we unpublish the malicious version and publish an advisory to document the malicious content. |
|
That seems to agree with what was done on the issue mentioned above. Should this information be added to the documentation, or is it such a rare case that you do not believe it is valuable to add? |
|
For high profile situations we end up making decisions based on a variety of factors, I don't think it makes sense to explicitly document |
|
Thanks for clarifying 😄 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I think the information regarding how npm handles malicious versions of otherwise benign packages could be improved in the documentation here:
https://docs.npmjs.com/reporting-malware-in-an-npm-package#how-npm-security-handles-malware.
Based on this issue for the
ua-parser-jspackage it seems like the version got unpublished.Does the npm security team recommend unpublishing? This removes the history and explanation from the npm website.
The text was updated successfully, but these errors were encountered: