-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit gives malware warning? #12
Comments
No worries @koesper I got ur first comment right. Anyhow thank you for ANY feedback here, coz I believe it will increase a chance to get attention to the problem - on any levels this package has. |
@koesper what Node/npm version you have where u try to install this package from its As you may have seen in my PR, I recreated lock file also within NodeJS 16 to support NEW API for lock files. So I assume if you have Node 10 or 12 OR 18 or 19 you may receive different output in regards to audit results. But in general I understand your doubt and concern in regards to |
@koesper look I have simple npm project with |
@andrii-lundiak I noticed that, and had the same result on my fork, where i basically copied the changes in your pullrequest.
|
And btw @koesper if you DIRECTLY install its
its
|
I noticed the naming discrepancy too, but wasn't sure if that was the problem. I'm also looking into the source of each of the npm published versions, in everyone the name in the package.json is correct: |
I'm trying to reproduce the steps, gimme a minute |
@koesper Also try to:
meaning that you will get package AFTER my change in scope of my PR #13. U know. But that branch is based on |
I think i'm going crazy, i've been able to reproduce this from scratch multiple times, but now my audit is not giving errors anymore.. what i did was:
and then i got that error. perhaps cleaning my npm cache triggered it to reload the audit data? i'm very confused, because now i cant reproduce it anymore. But i do feel that your pullrequests should solve the problems! Thanks for going on this adventure with me @andrii-lundiak ! I've learned a lot today about NPM security |
@koesper First of all |
@koesper Second of all, if you use |
@koesper And 3) sure, if u did |
When installing @piwikpro/ngx-piwik-pro, npm audit throws a critical warning.
(i needed to install it with --force, because of issue #9: angular 14/15 support)
The report is for all versions, not just the latest, or a specific fork
(Apologies to @andrii-lundiak, because i first thought the problem was in his PR #11, but it appears to be in all versions)
I looked through the code, and havent found anything suspicious myself, but this is very worrying
The text was updated successfully, but these errors were encountered: