the-algorithm icon indicating copy to clipboard operation
the-algorithm copied to clipboard

Published 20 hours ago verified publisher icon twitter

Fix dependencies

Open BenMusch opened this issue 2 years ago • 7 comments
trafficstars

Bumping deps, minor change

BenMusch avatar Mar 31 '23 23:03 BenMusch

This is a heavily vulnerable version. !LGTM

Yumshot avatar Mar 31 '23 23:03 Yumshot

Thanks for looking out for the security!

LGTM

nwithan8 avatar Mar 31 '23 23:03 nwithan8

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Apr 01 '23 00:04 CLAassistant

I wonder how long it will take for https://github.com/Airtable to fire Ben Muschol after seeing that he's creating malicious pull requests, which anybody can see and is damaging Airtable's reputation... How retarded can you be for using your real github account?

Risae avatar Apr 01 '23 09:04 Risae

I wonder how long it will take for https://github.com/Airtable to fire Ben Muschol after seeing that he's creating malicious pull requests, which anybody can see and is damaging Airtable's reputation... How retarded can you be for using your real github account?

Im sure they dont give a shit lol. This repo is one big meme.

Yumshot avatar Apr 01 '23 16:04 Yumshot

@Risae this PR is a joke, please do not interpret it as malicious lol. It's the software equivalent of 3 kids on each other's shoulders in a trench coat trying to get a rated R movie ticket.

The dependency I'm updating is clearly referencing an internal repository at twitter (hence the 3rdparty/ prefix as opposed to some public registry) where they would have already removed the insecure version. In fact, it's not even clear that it's possible to reference another version, as it seems like twitter is probably pinning all of their code to a specific version across all repositories. Moreover, there's no CI running on-commit here. The code that I have written will never execute anywhere.

This is also, arguably, the most well-known security vulnerability in years. I'm not trying to pass-off some obscure code change without people noticing. An actual malicious actor would implement a real change and try to hide the malicious change within that.

It's a joke, anyone familiar with software build processes will see that. Let's not take this too seriously lol

BenMusch avatar Apr 01 '23 18:04 BenMusch

It was a good meme, only reason i downvoted was the

Bumping deps, minor change Needs more flair like the other clickbait titles. (This would single handedly fix twitters problems) Kappa....

Yumshot avatar Apr 01 '23 18:04 Yumshot