|
|
|
|
|
|
by OJFord
823 days ago
|
|
|
You mentioned contacting the security teams, was that/did you try HackerOne? I don't think they would allow you to try to deliberately do it from the outset (the preferred reproduction would surely be 1. Create package A; 2. Create package B via another owner; 3. Demonstrate that B rendered A un-unpublishable^) but you might have had more luck explaining that you stumbled into it and need help unwinding it there. Funny idea, dumb policy, nice write-up! ^In the article you write 'immutable', but I think you mean that it can't be unpublished/de-listed? I suppose definitions vary you could call that immutable, but to me the versions are always immutable so that implies no new version could be published which I don't think was the case? |
|
|