node-ipc `package.json`, dependencies are vulnerable to supply-chain attacks

`package.json`, dependencies are vulnerable to supply-chain attacks

Open MidSpike opened this issue 2 years ago • 1 comments

Looking at the package.json has led me to the following findings:

`package.json`, dependency versions are vulnerable to supply-chain attacks:
- barely-patched in 8.1.1, semi-patched in 10.1.3
- however 10.1.3 still contains `strong-type: ^1.0.1` along with unfixed devDependencies
- additionally node-cmd, js-queue, js-message, event-pubsub, strong-type are all owned by riaevangelist

Originally posted by @MidSpike in https://github.com/MidSpike/node-ipc/issues/3#issuecomment-1075648693

Mar 22 '22 21:03 MidSpike

The reason behind calling these "vulnerable to supply-chain attacks" stems from @RIAEvangelist:

authoring the commit behind CVE-2022-23812
publicly stating (citation):

This code serves as a [...] example of why controlling your node modules is important.
Also saying (citation):

[...] damn good sleuthing.

Google defines "sleuthing" as "careful investigation into a crime or mystery"

For the reasons stated above, I believe that any code currently contained in this repository that uses packages maintained by @RIAEvangelist are at risk of a supply-chain attack.

Mar 22 '22 21:03 MidSpike

node-ipc node-ipc copied to clipboard

`package.json`, dependencies are vulnerable to supply-chain attacks

node-ipc
node-ipc copied to clipboard