I think you should unpublish rather than deprecate... `npm unpublish package@version` ... It's possible within 72h. One reason is that the patched version contains -alpha... so tools like npm-check-updates would keep the 1.3.3 as the latest release for those who installed it

▲

hfmuehleisen 5 days ago | parent [-]

Yes we tried, but npm would not let us because of "dependencies". We've reached out to them and are waiting for a response. In the meantime, we re-published the packages with newer versions so people won't accidentally install the compromised version.

▲

herpdyderp 5 days ago | parent | next [-]

At least one thing is clear from this week: npm is too slow to respond.

▲

diggan 5 days ago | parent [-]

> npm is too slow to respond

Microsoft has been bravely saying "Security is top priority" since 2002 (https://www.cnet.com/tech/tech-industry/gates-security-is-to...) and every now and then reminds us that they put "security above all else" (latest in 2024: https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...), yet things like this persists.

For how long time do Microsoft need to leave wide-open holes for the government to crack down on their wilful ignorance? Unless people go to jail, literally nothing will happen.

	▲	zahlman 4 days ago \| parent [-]
		TIL that NPM is a subsidiary of GitHub, making this indeed Microsoft's responsibility.

▲

hfmuehleisen 5 days ago | parent | prev [-]

they have now removed the affected versions!