Our great sponsors
-
node-ipc
A nodejs module for local and remote Inter Process Communication (IPC), Neural Networking, and able to facilitate machine learning. (by RIAEvangelist)
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
Note that the only vulnerable version was @vue/cli v5.0.2, which was intended to pin the version of node-ipc to v9.2.1, but accidentally allowed versions greater than that: https://github.com/vuejs/vue-cli/commit/37ef809c873f33c88ba7...
The mistake was fixed within 6 minutes: https://github.com/vuejs/vue-cli/commit/b0d931668e7e8450a285...
It looks like the malware version of @vue/cli has been downloaded a total of 170 times.[1] That's 0.13% of all downloads of that package this week. It's also important to note that @vue/cli has been deprecated for months. If you're making a new Vue project today[2] you'll use create-vue[3] which doesn't depend on node-ipc at all.
1. https://www.npmjs.com/package/@vue/cli?activeTab=versions
2. https://vuejs.org/guide/quick-start.html
3. https://github.com/vuejs/create-vue
Note that the only vulnerable version was @vue/cli v5.0.2, which was intended to pin the version of node-ipc to v9.2.1, but accidentally allowed versions greater than that: https://github.com/vuejs/vue-cli/commit/37ef809c873f33c88ba7...
The mistake was fixed within 6 minutes: https://github.com/vuejs/vue-cli/commit/b0d931668e7e8450a285...
It looks like the malware version of @vue/cli has been downloaded a total of 170 times.[1] That's 0.13% of all downloads of that package this week. It's also important to note that @vue/cli has been deprecated for months. If you're making a new Vue project today[2] you'll use create-vue[3] which doesn't depend on node-ipc at all.
1. https://www.npmjs.com/package/@vue/cli?activeTab=versions
2. https://vuejs.org/guide/quick-start.html
3. https://github.com/vuejs/create-vue
There is a proposal to add OCAPs on a language level in TC39[0]. There is already a drop-in implementation which already works in both Nodejs and browsers[1].
As a developer who wants to sandbox your own (recursive) dependencies, this is made accessible today in Lavamoat[2]. Basically a package or app can provide a policy manifest specifying which capabilities (e.g. network or filesystem access) should be granted for each dependency. Also comes with a tool that will auto-generate a starting point from your existing dependency tree.
IMO this is the future. Currently it does come with a performance penalty but hopefully this idea will catch on and make it into runtime implementations.
Lavamoat is still marked as "preprod" on npm but talking to the author it's a matter of days or weeks until the first stable release.
[0]: https://news.ycombinator.com/item?id=30703817
[1]: https://github.com/endojs/endo/tree/master/packages/ses
[2]: https://github.com/LavaMoat/LavaMoat