Our great sponsors
-
packages
📦 Package configurations - The #1 free and open source CDN built to make life easier for developers. (by cdnjs)
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
cjdns
An encrypted IPv6 network using public-key cryptography for address allocation and a distributed hash table for routing.
You can make a request to have it added on our GitHub repository."
Amusingly you can see the "hey-sven" library they added to test the fix: https://github.com/cdnjs/packages/pull/695
If you download the tarball directly, https://registry.npmjs.org/hey-sven/-/hey-sven-1.0.2.tgz, then tar -ztvf hey-sven-1.0.2.tgz, you can see
-rw-r--r-- 0 ryotak staff 204 Jun 2 16:21 package/package.json
-rw-r--r-- 0 ryotak wheel 10 Jun 2 16:21 ../../../../../../../../../../tmp/ryotak
-rw-r--r-- 0 ryotak wheel 10 Jun 2 16:22 ../../../../../../../../../../tmp/ryotak.sh
I was curious if the offending commit is still there but I didn't see anything that looked like it: https://github.com/cdnjs/cdnjs/commits/master?after=6901ec10...
That commit log should give you a better sense of what happened if you (like me) didn't understand how cdnjs works. Apparently robocdnjs will just pull arbitrary packages and unzip and commit them into the cdnjs repo which then gets served all over the internet. Crazy!
I was really excited for a moment, because I thought this was cjdns https://github.com/cjdelisle/cjdns.
This exact thing is being discussed https://github.com/golang/go/issues/25849 here. Maybe take a look