(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.201s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

alaintno ◴[08 Sep 25 14:37 UTC] No.45168876[source]▶

How is it possible that this code (line 9 of the index.js) isn't present in the source github repo, but can be seen in the beta feature of npmjs.com?

Also, the package 1.3.3 has been downloaded 0 times according to npmjs.com, how can the writer of this article has been able to detect this and not increment the download counter?

replies(2): >>45168982 #>>45172960 #

1. behindsight ◴[08 Sep 25 19:42 UTC] No.45172960[source]▶

>>45168876 #

> How is it possible that this code (line 9 of the index.js) isn't present in the source github repo, but can be seen in the beta feature of npmjs.com

You may also be interested in npm package provenance [1] which lets you sign your npm published builds to prove it is built directly from the source being displayed.

This is something ALL projects should strive to setup, especially if they have a lot of dependent projects.

1: https://github.blog/security/supply-chain-security/introduci...

↑

NPM debug and chalk packages compromised