node-lazystream
node-lazystream copied to clipboard
jpommerening
npm package contains "secret" file
Just noticed this while auditing my npm modules. You might want to use the files property in your package.json to ship only the necessary files (lib/)
Noticed this strange file today. What is the file for in the module? Based on the file's contents it seems that it could pose some security risk.
Sorry folks, I don't have publish permissions to the npm package, so I can't help you here.
Hey @phated @luanmuniz @lager1 @mariocasciaro! Sorry for the long delay… it felt hard to respond to this.
Yes, this is a private key. It has long since been revoked/retired wherever it was used.
Aside from traveling back in time to when I was using this private key, I can't think of a good way to exploit this. One could sign something with it and try to claim that I signed it, but then you'd need to point to a place where I claim that this is a key that can be trusted.
Since this package has quite a lot of dependents (and I'm sure many of those use a pinned version) I will not unpublish the version that contains the file. (I don't want this to be the new left-pad.)
I could publish a new version of the package without said file, but I'm not convinced that would benefit anyone.
@phated Thanks for pointing out files. That is the way to go imo.
@luanmuniz @lager1 @mariocasciaro Thanks for taking the time to chime in.
Again, sorry for not responding. Sometimes it's just hard, especially when you can't really do something about a problem.
It would be great if a new patch version of the package could be published without the issue. This secret is being flagged up in various code and container scanners as an issue. It can be muted in most cases, but people auditing the logs of these scanners have to spend the time to find out that it is a red herring.
@jpommerening Since we use this in gulp, I'd be happy to bring this under the @gulpjs organization and help you maintain it. Thoughts?
Please publish a new bugfix version of this package without the secret file. You will save many hours of many other developers, who have spend time verifying the false-positive security issue reported by their scanning software and adding ignore rules to those scanners. Eventually all dependents will update to the fixed version and it will not be an issue anymore.
@jpommerening Any news here? You don't need to unpublish the older versions, but publish a patch version without the file. You can use .npmignore file for that.
@luanmuniz actually, yes! I managed to recover access to my NPM account (turned out to be easier than expected, now that npm.org is owned by GitHub/Microsoft).
I still need to sort through a few things, but hope to get 1.0.1 published soon. Sorry everyone. It's quite the ordeal.
And, @phated, if you're still interested, I'll happily take you up on that offer!
And, @phated, if you're still interested, I'll happily take you up on that offer!
Yep! Happy to help out. Let me know how you want to do the transfer. Glad you were able to recover your account 🥂
Let me know how you want to do the transfer.
Well … how does one do a transfer? 😅 I think I could give you publish permissions on npmjs.org and transfer the repo to @gulpjs? I don't know what kind of coordination the second part requires. Let's check that tomorrow, ok?
Well … how does one do a transfer?
GitHub permissions are a little strange. You can actually transfer to any individual, but you can't transfer to an organization unless you are an admin. So the best solution would be to transfer to my personal account (phated) and then I'll transfer it into @gulpjs - I believe it will keep you as an external collaborator throughout that process.
For npm, it's mostly the same process. You add me as an admin (phated) and then I can add it to the gulpjs organization.