bats-file
bats-file copied to clipboard
bats-core
bats-file npm package removed by security team
According to https://www.npmjs.com/package/bats-file:
Security holding package This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
Please refer to www.npmjs.com/advisories?search=bats-file for more information.
Clicking the link goes to github advisories, but nothing is listed there for bats-file.
Do you have any context on this?
Thanks for the report. This is the first time I hear about that. We will have to inquire with npm to get more details. I see following potential reasons:
- The code is too old
- The code triggered some false positive in automated security scans
- We actually have some backdoors in the package, either due to an oversight or due to a breach like https://thehackernews.com/2021/09/travis-ci-flaw-exposes-secrets-of.html
Anyway we will have to investigate.
I did not yet hear back from the npm team.
However, internal discussion showed that we never published a bats-file package. This means the package you linked to was published by a third party.
Unfortunately, this means we don't know what was in that package.
bats-file (this repo) was forked from a long-time bats community member's bats-file.
The original repo contained a package.json that was initially used primarily as a means to simplify the installation of sibling bats projects for testing. I don't believe the package.json was ever used as a means of publishing bats-file itself. This is demonstrated by it being configured as private: true; which prevents publishing. It has remained private for as long as our fork has existed. The package published on npm is not by the bats-core org nor published by any member of the `bats-core org](https://www.npmjs.com/org/bats-core).
I see the issue is still open and no final resolution posted.
Are there plans to adding bats-file as a bats-core org provided npm package?
In that sense, as far as I can see when looking to bats-support and bats-assert, these packages are also only owned by a bats-core member @jasonkarns but not the org itself.
Are there plans to change this situation in the future so that everyone is able to use npm install bats-file as an officially supported package owned by bats-org?
There has been internal discussion about this topic but there is no final decision or timeline, yet.
@martin-schulze-vireso if you want you can include me in the internal discussion about this, I have a natural interest on "packaging" tasks and I have experience with most of the different distros and language-related package. :) I also recently joined the chat, will ping you there :wave:
I am not sure which chat you are talking about exactly. We are still evaluating where to bundle internal communication.
With regard to this issue: the current idea is to provide official npm packages under the bats scope to prevent a vacuum that can be filled by nefarious actors.