asset-packagist icon indicating copy to clipboard operation
asset-packagist copied to clipboard

Published 20 hours ago verified publisher icon hiqdev

packages hijacking

Open mytskine opened this issue 1 year ago • 2 comments

  1. I search for "zxcvbn" packages https://asset-packagist.org/package/search?query=zxcvbn
  2. I see that "npm-asset/zxcvbn-ts--core" exists, with a latest release at 3.0.2
  3. I click on the package name and land on https://asset-packagist.org/package/npm-asset/zxcvbn-ts--core
  4. I see that the release "3.0.2" is not listed, and that greater release numbers exist. Eventually, I understand that the wrong package ("npm-asset/zxcvbn") is displayed on this page.
  5. I test an install with composer require npm-asset/zxcvbn-ts--core and the wrong package gets installed. In other words the package "npm-asset/zxcvbn" has hijacked "npm-asset/zxcvbn-ts--core", though they are unrelated (the latter started as a rewrite of the former, but their APIS are now incompatible).

Unless I'm mistaken, there is no way to install the real package "npm-asset/zxcvbn-ts--core". That's alright, but in any case another incompatible package should never get installed instead.

On a side note, the link on https://asset-packagist.org/package/npm-asset/zxcvbn-ts--core is wrong and sends to a 404 page: https://npmjs.com/package/zxcvbn-ts--core should become https://www.npmjs.com/package/@zxcvbn-ts/core

mytskine avatar Jun 30 '23 10:06 mytskine

After some more investigation, it seems that asset-packagist created composer packages only for some of the git tags in the zxcvbn-ts repository. Those tags are those that are shared with zxcvbn. This explains why the old package has hijacked this one.

The problem is still partly there:

  • The releases displayed by asset-packagist were wrong, they were never released under this name on npm. Clicking "Fetch updates from npm" has solved it for this package, but those releases should never have been there.
  • The page now claims "This package is OK to use!" but the SHA column is always at "n/a" with no link to sources.
  • The link to npm is broken.

Surprisingly, forcing composer to install [email protected].* did work now, so there is a workaround for the main problem.

mytskine avatar Jun 30 '23 11:06 mytskine

Hello! Thanks for digging! Yes, this is not right and could be improved. We will leave this issue open and get back to it during the next project maintenance session. And PRs are always welcome if you would like to put some effort into this task.

SilverFire avatar Jul 03 '23 09:07 SilverFire