react-qr-code icon indicating copy to clipboard operation
react-qr-code copied to clipboard

Published 20 hours ago verified publisher icon rosskhanas

qr.js dependency is overtaken

Open bratsos opened this issue 3 years ago • 2 comments

First of all thanks a lot for your work in this library! Recently, the GitHub project of qr.js (linked by npm) has been compromised and points to an empty repo

There's another repo that contains the original code (AFAICT) linked here and it seems to be the same author.

Not sure what's the best practice is here, from the top of my head in a descending order security-wise, either link directly to the second GitHub repo in your package.json, fork the repo under your account, or even vendor in the minified version of qr.js and include it in your library.

Cheers!

bratsos avatar Dec 01 '21 09:12 bratsos

https://github.com/nayuki/QR-Code-generator/issues/155

rosskhanas avatar Oct 01 '22 08:10 rosskhanas

For anyone who is curious about what happened to qr.js, there is a good write up on it at https://blog.sonatype.com/researcher-takes-over-qr.js-via-repo-hijacking.-is-the-npm-package-safe

yoDon avatar Dec 23 '22 20:12 yoDon