Looks like this is a 3rd party npm module that's downloaded >1 million times a week. For the curious, here are the vulnerable lines: Linux: scravy/node-macaddress@dd07962:/lib/linux.js#L4 macOS:...
Oh please let's not turn tildes into hacker news' toxic hate of everything javascript. Npm is making steps in the right direction by incorporating security advisories right into the install...
Oh please let's not turn tildes into hacker news' toxic hate of everything javascript.
Npm is making steps in the right direction by incorporating security advisories right into the install process. This will hold package maintainer to higher standard and give transparency to those using them. No software is perfect vulnerabilities will be found, it's how it's handled that is important.
The package maintainer doesn't appear to be active and the the module has been forked with a fix, https://github.com/flypapertech/node-macaddress and is on npm as macaddress-secure
Loving the JS ecosystem for how quickly respond to this issues. The only problems is that now all the packages that depends on that module needs to update and that will takes months at best :-/
Loving the JS ecosystem for how quickly respond to this issues.
The only problems is that now all the packages that depends on that module needs to update and that will takes months at best :-/
I think they are reaching out to the npm maintainers to try and coup the package to become maintainers and point it towards the actively maintained repo, if that is the case the uptake should be...
I think they are reaching out to the npm maintainers to try and coup the package to become maintainers and point it towards the actively maintained repo, if that is the case the uptake should be much quicker. It's much harder for package maintainers to ignore these when thousands of programs are throwing up huge red flags upon an npm install
A 3rd party module programmers use in their programs has vulnerability that has the potential to allow a malicious user to execute an arbitrary command that could compromise the system the node...
A 3rd party module programmers use in their programs has vulnerability that has the potential to allow a malicious user to execute an arbitrary command that could compromise the system the node program is running on.
Looks like this is a 3rd party npm module that's downloaded >1 million times a week.
For the curious, here are the vulnerable lines:
Bonus points for an especially useless use of
catto read/procon the Linux one.EDIT: Looks like a good chunk of those downloads were as a former dependency of uniqid.
s/NodeJS/the macaddress module on npm/
It has been
300 days since a major node package vulnerability was foundOh please let's not turn tildes into hacker news' toxic hate of everything javascript.
Npm is making steps in the right direction by incorporating security advisories right into the install process. This will hold package maintainer to higher standard and give transparency to those using them. No software is perfect vulnerabilities will be found, it's how it's handled that is important.
The package maintainer doesn't appear to be active and the the module has been forked with a fix, https://github.com/flypapertech/node-macaddress and is on npm as
macaddress-secureLoving the JS ecosystem for how quickly respond to this issues.
The only problems is that now all the packages that depends on that module needs to update and that will takes months at best :-/
I think they are reaching out to the npm maintainers to try and coup the package to become maintainers and point it towards the actively maintained repo, if that is the case the uptake should be much quicker. It's much harder for package maintainers to ignore these when thousands of programs are throwing up huge red flags upon an
npm installAs someone who knows nothing about programming, can someone ELI5 this?
A 3rd party module programmers use in their programs has vulnerability that has the potential to allow a malicious user to execute an arbitrary command that could compromise the system the node program is running on.