codebird-php
codebird-php copied to clipboard
jublo
Packagist hack?
Not sure what's happening here, but it doesn't look right.
Composer installs started failing today saying that an existing commit doesn't exist.
We have had this package installed for years:
https://packagist.org/packages/jublonet/codebird-php
I see that the page seems to list active data for the project, but it links to this repo, which is empty but for a single file:
https://github.com/jublonet/codebird-php
If you look a the user who committed the file there, they've made several other commits on other repos of the same or similar file.
@shaneiseminger @dave2309 Thanks for notifying us about this issue. We’ve updated Packagist to reflect the current GitHub repo URL.
Here’s what happened:
We had renamed our GitHub organisation years ago, and there had been an automatic redirect in place, sending users from jublonet to jublo. However now someone created a new GitHub organization called jublonet, clearly with the intention of misleading users and breaking Composer installations of Codebird.
//cc @joshuaatkins
@joshuaatkins thanks for your reply.
Still packagist is only showing jublonet/codebird-php, instead of jublo/codebird-php
Any idea how long that would need to propagate (if necessary)?
@dave2309 The package should already have the updated source URL from GitHub. I did a test install on a blank folder, and Composer did pick up the correct files for me.
The Packagist package name itself cannot be updated for (similar) security reasons, and the only path for us would be to declare the jublonet/* packages as abandoned and superseded by newly submitted jublo/* packages.
We had renamed our GitHub organisation years ago, and there had been an automatic redirect in place, sending users from jublonet to jublo. However now someone created a new GitHub organization called jublonet, clearly with the intention of misleading users and breaking Composer installations of Codebird.
Ah, makes sense now. Going to flag the user doing it as s/he/they is clearly trying to do that with a lot of repos and it also clearly opens a huge security hole through which any kind of code could be injected.