ua-parser-js
ua-parser-js copied to clipboard
Add security advise to Readme.MD refering to malwared releases
I was informed about the malicious code being shipped with UA Parser (https://github.com/faisalman/ua-parser-js/issues/536) via a (German) Newsblog around Technology. When looking at the readme of ua-parser-js and especially at npmjs, I'm not informed that this has happened, and would have not found any reason to become active into checking my system.
Since UA Parser might be used in many production instances/ systems, I kindly ask @faisalman to increase his responsibility in this security issue by raising the awareness for the affected users significantly.
This can be accomplishide IMO with a ⚠️⚠️⚠️ BIG WARNING ⚠️⚠️⚠️ in the readme, that advices on
- howto detect if a user is affected (e.g.
npm list | grep ua-parser-js
) - what is the treat to their system
- what are the neccessary steps to make sure the system is free of malware
In certain legislations/ industries usage of a compromised package might lead to legal consequences if a company does not act timely and the info being hidden inside an issue is insuficcient in my view.
Github also has a Security Advisory tab where this information could be published https://github.com/faisalman/ua-parser-js/security/advisories
running npm list
returns only the first level of packages, but ua-parser-js may be a sub dependency
@chris-aeviator you should run npm list ua-parser-js
to find if any dependency in your projects depend on ua-parser-js
Any update?