node-ipc
node-ipc copied to clipboard
RIAEvangelist
Is the Protestware still there?
Hi Can you please advise which version the protestware was added?
All previous releases are not there and I seem to not find the history too.
Yours is a great package, and I would like to use the one prior to the release when the the protesting codes were added.
Don't want to surprise my users!
Looks like this repo got completely wiped and reinitiated, with code that seems to be dated back before the protestware. However please note that this could also mean any change in the commit history and code (but this needs verification).
The original (before wipe) latest versions without the "protestware" were:
- For version v9: v9.2.1
- For version v10/v11: v10.1.0
For historical purposes: More info: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/ The issue that started all: https://web.archive.org/web/20220317042712/https://github.com/RIAEvangelist/node-ipc/issues/233 Also a drop-in fork: https://github.com/achrinza/node-ipc/issues/1
Completely wiped and reinstated to the last safe commit. Apologies for the confusion.
On Tue, Mar 7, 2023 at 5:37 AM Zsombor Franczia @.***> wrote:
Looks like this repo got completely wiped and reinitiated, with code that seems to be dated back before the protestware. However please note that this could also mean any change in the commit history and code (but this needs verification).
The original (before wipe) latest versions without the "protestware" were:
- For version v9: v9.2.1
- For version v10/v11: v10.1.0
More info:
- for latest clean versions: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
- for a fork by an other developer: achrinza/node-ipc#1 https://github.com/achrinza/node-ipc/issues/1
- for the issue that started all: https://web.archive.org/web/20220317042712/https://github.com/RIAEvangelist/node-ipc/issues/233
— Reply to this email directly, view it on GitHub https://github.com/RIAEvangelist/node-ipc/issues/3#issuecomment-1457937499, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC2DEIPVDDBAQ32BPA2X7DW24FWRANCNFSM6AAAAAAVEJTPAI . You are receiving this because you are subscribed to this thread.Message ID: @.***>
@miguelcagidefagin NPM's latest is 11.1.0, You want to you want to pin 10.1.0 from NPM or point your dependency to this repo directly.
As @frzsombor so kindly wrote:
The original (before wipe) latest versions without the "protestware" were:
- For version v9: v9.2.1
- For version v10/v11: v10.1.0
I also recommend you run 'is-my-node-supply-chain-secure' to see how many vulnerable packages you have on your computer. It will scan all your packages system-wide and report which ones are the most likely to have supply chain vulnerabilities in them. It can take a long time depending on how big your system is, you will see each package pop up in the terminal when a vulnerability is found.
Remember to pin your deps at all times. npm-pin-dependencies
might be helpful to use from time to time. Also, remember to use npm ci instead of npm i when possible. If you don't know what pinning is yet, read this article on pinning
I am working with NPM to regain account access now so I can update the package to be optional.
I hope no more protestwares will be added. Had to go through lot of pain to remove node-ipc from a project earlier. I'll be looking forward to contributing.
I am sorry for that, there won't be any more protest ware like that. I will be moving the current stuff to the console log as the first update too.
Seems like the https://www.npmjs.com/package/node-ipc package is still pushing the version with the protestware npm -v 10.4.0 node -v 21.6.1 btw
v10.1.0 is the latest which does not make a request for peace.
If users find that offensive then just set it to that version as it is the latest before all this crap happened.
Latest also has some other updates to it too, however, none are critical that I am aware of. When the war is over the module will no longer make a call for peace.
@RIAEvangelist I'm using the version 10.1.0 but it keeps showing the ♥ symbol in the console. Is that also part of the protestware? is there a way to remove it?
V 10.1.0 does not log the ♥ it also does not contain the peace not war module. You should delete your nose modules and reinstall them making sure you have v 10.1.0 and not 11 if the console log of a ♥ is an issue.
You can also search for the ♥ in your code.
On Fri, Feb 9, 2024, 2:06 PM Jose Daniel Estrada @.***> wrote:
@RIAEvangelist https://github.com/RIAEvangelist I'm using the version 10.1.0 but it keeps showing the ♥ symbol in the console. Is that also part of the protestware? is there a way to remove it?
— Reply to this email directly, view it on GitHub https://github.com/RIAEvangelist/node-ipc/issues/3#issuecomment-1936667106, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC2DEIKJH6ROY3I5NWTVE3YS2MWTAVCNFSM6AAAAAAVEJTPAKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZWGY3DOMJQGY . You are receiving this because you were mentioned.Message ID: @.***>
It might make sense to publish a new version here to solve the 'protestware' and 'peacenotwar' problems. @RIAEvangelist
https://www.npmjs.com/package/node-ipc
Hello from Turkey 🙌
I am open to suggestions as to the best way to resolve this. Perhaps a flag of some kind?
By releasing v12.0 as the NPM version, it can be declared that there are no problems with 12 and later. This seems to be the fastest and most effective solution. The library called @latest will be released as the latest version, v12.0.
By releasing v12.0 as the NPM version, it can be declared that there are no problems with 12 and later. This seems to be the fastest and most effective solution. The library called
@latestwill be released as the latest version,v12.0.
Hasn't a solution been implemented for this place yet? @RIAEvangelist
@ramazansancar as it stands, currently people can choose to use the older version or the current version, all features are the same.
There is so much war happening in the world today, we could put this behind an option and allow engineers to decide for themselves where they stand.
Everything harkens back to what happened in World War 2. It is easy to forget what happened now that it has been so long.
The whole world has gone crazy for the past few years. I am open to PRs.
@ramazansancar just pushed the changes to GH. The war is now bidirectional and they will figure things out their way. People of the world should pray for peace and no more forced or carried on bloodshed.
One day, this all will change, treat people the same Stop with the violence, down with the hate One day, we'll all be free and proud to be Under the same sun, singin' songs of freedom
I understand why this is happening, I just don't agree with continued bloodshed, fighting, hate and destruction. It is sad. Hopefully ML and AI can help with this in more than one way, and bring about an era of prosperity and peace without war where people can be free to understand themselves and this place in freedom and joy.
v12.0.0 will be released as suggested. I'm going to push another as this issue and your suggestion qualify you to be a contributor now because you had a direct impact and positive suggestion without hate.
Thank you.
@RIAEvangelist Thank you for your understanding and taking action to correct this.
Hello from Turkey 🙌