| ▲ | thunderbong a day ago | |
If you see the code, that dependency just happens to be another file in the repository [0] The only dependency is the 'motion' library. | ||
| ▲ | TZubiri a day ago | parent [-] | |
does npm install pull code from that github repo, though? If not, auditing that repo is a huge blunder. I'm seeing this from npm, which is a bit different: https://www.npmjs.com/package/playcaptcha Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker. | ||