Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
martypitt 4 days ago

A super quick script to check the deps in your package-lock.json file is here[0].

[0]: https://gist.github.com/martypitt/0d50c350aa7f0fc73354754343...

patates 4 days ago | parent | next [-]

aren't these already nuked and show up in the "npm audit" command?

epmatsw 4 days ago | parent | next [-]

Annoyingly, npm audit relies on github's advisory DB, which is currently incorrectly flagging all versions of these packages, not just the compromised ones.

https://github.com/github/advisory-database/issues/6098

brycewray 4 days ago | parent [-]

“Anatomy of a Billion-Download NPM Supply-Chain Attack”[0] suggests adding this to `package.json` for now...

    "overrides": {
      "chalk": "5.3.0",
      "strip-ansi": "7.1.0",
      "color-convert": "2.0.1",
      "color-name": "1.1.4",
      "is-core-module": "2.13.1",
      "error-ex": "1.3.2",
      "has-ansi": "5.0.1"
    }
EDIT: This comment[1] suggests `npm audit` issue has now been resolved.

[0] https://jdstaerk.substack.com/i/173095305/how-to-protect-you...

[1] https://github.com/chalk/chalk/issues/656#issuecomment-32676...

martypitt 4 days ago | parent | prev [-]

Nice - that's even better - thanks! TIL.

krona 4 days ago | parent | prev [-]

how about:

grep -r "_0x112fa8"

9dev 4 days ago | parent [-]

Irritatingly, this doesn't turn up anything, despite having a theoretically-compromised project as per the package-lock.json… At least on my end

mewpmewp2 4 days ago | parent | next [-]

What do you mean irritatingly? Do you mean that you think 'grep -r "_0x112fa8"' is not enough or are you irritated that npm audit is flagging as if it was compromised?

9dev 4 days ago | parent [-]

I'm irritated because I expected to find at least one compromised file, but there were none. It may be, though, that we only use the affected packages as transitive development dependencies, in which case they are not installed locally. But a sliver of doubt remains that I missed something.

AgentME 4 days ago | parent | prev [-]

If you had the dependency installed before this attack, then you would still be pinned to an old safe version.