|
|
|
|
|
|
by padjo
33 days ago
|
|
|
So in summary: - a writable shared global cache is made available to PRs opened from forks by randomers. - that cache is reused in the deploy pipeline - deploys can be made with a single authentication factor, stored on the CI server - the repository apparently does nothing to check for malicious deploys, delegating that to 3rd parties to do after the code is in the wild. - by default the package manager runs random code when a package is updated What a world we live in. |
|
|
> This is the class of attack documented by Adnan Khan in 2024. It's not a TanStack-specific bug; it's a known GitHub Actions design issue that requires conscious mitigation.
While it seems the maintainers kinda went-out-of-their way to enable this - GitHub could easily have at least turned of cache-sharing between fork jobs and the main jobs...