GHSA-pjwm-rvh2-c87w
deno-puppeteer
GHSA-pjwm-rvh2-c87w | deno-puppeteer | |
---|---|---|
8 | 5 | |
- | 439 | |
- | - | |
- | 0.0 | |
- | 5 months ago | |
TypeScript | ||
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
GHSA-pjwm-rvh2-c87w
-
Attack Simulator for SolarWinds, Codecov, and ua-parser-js breaches
The SUNSPOT malware, Codecov breach, and lot of compromised open-source packages (like was the case with ua-parser-js) target the CI/ CD pipeline to modify release build or exfiltrate credentials.
- Embedded malware in ua-parser-js - critical severity
- Embedded malware in ua-parser-JS (NPM package)
-
PSA: Tor.com was hacked and is currently spreading malware
I think you are misunderstanding the attack vector in the article you linked. This isn't the same thing we were discussing, please see https://github.com/advisories/GHSA-pjwm-rvh2-c87w. This was not a compromise designed to go after the visitors of the website so far as I can tell (and even if it were, it couldn't do much except possibly steal a password if you entered it on a compromised site or steal cookie data). This was designed to target people who were using the library in their software, aka, it was targeting the build-chain of the developers, and many devs and companies as a result had computers compromised when the updated their versions, which caused the compromised version to download to their computers.
- Supply-chain attack on NPM Package UAParser, which has millions of daily downloads
- The npm package ua-parser-js had three versions (0.7.29, 0.8.0, 1.0.0) published with malicious code.
- Embedded crypto miner in ua-parser-JS
-
BREAKING!! NPM package ‘ua-parser-js’ with more than 7M weekly download is compromised
Github has published an advisory for the package https://github.com/advisories/GHSA-pjwm-rvh2-c87w
deno-puppeteer
-
Unity ships Node-IPC vulnerability
In an ideal world, yes, but in reality Deno's permission model is quite hard to use so many libraries require disabling a lot of it, sometimes everything like puppeteer. Other example is the library I maintain: it requires --allow-net since you can't whitelist a domain and all its subdomains, just a domain.
-
What's the best way to generate a PDF from html in deno?
import puppeteer from "https://deno.land/x/[email protected]/mod.ts"; const browser = await puppeteer.launch(); const page = await browser.newPage(); await page.goto("https://news.ycombinator.com", { waitUntil: "networkidle2", }); await page.pdf({ path: "hn.pdf", format: "A4" }); await browser.close();
-
Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise
I agree that semantics for that is complicated, but I think the adopting browser permission model is bad because browsers have per-site isolation but how Deno is going to do that for applications that require executing external binaries? Also, even if you would whitelist some binaries, there are Deno packages, such as deno-puppeteer, which don't list what permissions it requires, instead it instructs users to enable all permissions using -A. By the way, why just -A? Why not --unsafely-enable-all-permissions (like Chromium's --unsafely-treat-insecure-origin-as-secure)?
-
BREAKING!! NPM package ‘ua-parser-js’ with more than 7M weekly download is compromised
Maybe people forget about this permission system because either are not experienced with Deno or because they just slap -A on eveything. Some packages such as deno-puppeteer even put it in all examples without even adding a note about its risks.
What are some alternatives?
npm-force-resolutions - Force npm to install a specific transitive dependency version
puppeteer-cluster - Puppeteer Pool, run a cluster of instances in parallel
micromatch - Highly optimized wildcard and glob matching library. Faster, drop-in replacement to minimatch and multimatch. Used by square, webpack, babel core, yarn, jest, ract-native, taro, bulma, browser-sync, stylelint, nyc, ava, and many others! Follow micromatch's author: https://github.com/jonschlinkert
puppeteer - Node.js API for Chrome
is-mobile - Check if mobile browser, based on useragent string.
jsPDF - Client-side JavaScript PDF generation for everyone.
is-number - JavaScript/Node.js utility. Returns `true` if the value is a number or string number. Useful for checking regex match results, user input, parsed strings, etc.
react-pdf - 📄 Create PDF files using React
Dapper - Dapper - a simple object mapper for .Net [Moved to: https://github.com/DapperLib/Dapper]
handlebars-helpers - 188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.
NUnit - NUnit Framework
enquirer - Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert