|
|
|
|
|
|
by aylux2121
1803 days ago
|
|
|
I'm just trying to find the root cause. I see that is PR is merged by a contributor "xtuc". Root question is that why was this PR merged? Apart from reading/writing to other files in the build pipeline instance (which is a really good catch), primary problem I see here is that anyone is able to deploy any arbitrary code/javascript to serve it from cdnjs. Just send a PR, then some contributor will merge it without checking the release package content. Don't you think that is open to a lot of issues? |
|
|