|
|
|
|
|
|
by eqmvii
1693 days ago
|
|
|
If I'm reading this correctly, the malicious code was new (higher) versions of the releases. Would this mean any project using a package.lock/yarn.lock was 'safe' going through deploys? So only new installs and builds without lock files could have grabbed the higher version? If so, I wonder if it's hard or impossible to swap a release version on NPM. Seems like that would hit a much wider audience before being detected. |
|
|