Hacker News new | ask | show | jobs
by kmlx 1559 days ago
- @vue/cli

   - @vue/cli-ui

      - node-ipc@^9.2.1

   - @vue/cli-shared-utils

      - node-ipc@^9.1.1
due to the nature of the ecosystem i feel like

- pinning the dependencies

- running something like renovate

- merging the resulting MR’s with quite a delay from when they were opened

as some basic steps in mitigating this sort of silly, but potentially expensive, stuff.
2 comments
ggreer 1559 days ago
Note that the only vulnerable version was @vue/cli v5.0.2, which was intended to pin the version of node-ipc to v9.2.1 but accidentally allowed versions greater than that: https://github.com/vuejs/vue-cli/commit/37ef809c873f33c88ba7...

The mistake was fixed within 6 minutes: https://github.com/vuejs/vue-cli/commit/b0d931668e7e8450a285...

It looks like the malware version of @vue/cli has been downloaded a total of 170 times.[1] That's 0.13% of all downloads of that package this week. It's also important to note that @vue/cli has been deprecated for months. If you're making a new Vue project today[2] you'll use create-vue[3] which doesn't depend on node-ipc at all.

1. https://www.npmjs.com/package/@vue/cli?activeTab=versions

2. https://vuejs.org/guide/quick-start.html

3. https://github.com/vuejs/create-vue

link
hsbauauvhabzb 1559 days ago
n-1 is a great concept that works right up until log4shell starts happening.

The solution is to audit all code you rely on, the unviability of that solution is the fault of the npm micro package ecosystem.

link
mac-chaffee 1559 days ago
The micro package ecosystem is also self-reinforcing: some micro packages were created by the same developers who have spun ownership of these things into more lucrative positions.

I've tried to get rid of micro packages in the dependency tree of popular libraries, but because it's a turf war, PRs get closed, and the problem continues.

link
hsbauauvhabzb 1559 days ago
I don’t think anything will change until large development firms pressurise popular projects to stop the behaviour.

I hope you speak with executive and lead developers to highlight the volatility of the ecosystem, like I do, every chance I get.

link
gtirloni 1559 days ago
Node.js just needs a proper standard library and this will stop in no time. Never going to happen though.
link
hsbauauvhabzb 1559 days ago
Curious why that might be, if you have any insights?
link