Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SECURITY-ISSUE: node_module dependency "ua-parser-js" is hijacked by malware

See original GitHub issue

🐛 Bug Report

ua-parser-js version 0.7.29 and higher contain malware https://github.com/faisalman/ua-parser-js/issues/536#issue-1033602182

Prerequisites

I’m using the latest version of Docusaurus.
I have tried the npm run clear or yarn clear command.
I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
I have tried creating a repro with https://new.docusaurus.io
I have read the console error message carefully (if applicable)

Description

one of the dependency installed with npm install of the latest docusaurus version was hijacked by a malware executable file. See above mentionned github issue link where you will get more details.

Issue Analytics

State:
Created 2 years ago
Reactions:13
Comments:6

Top GitHub Comments

3reactions

lex111commented, Oct 25, 2021

Looks like this security vulnerability in our transitive dependency ua-parser-js is fixed now, and malware code is not available for download, so please reinstall your npm packages. Or at least make sure, that your package-lock.json or yarn.lock file not contains ua-parser-js with one of these versions: 0.7.29, 0.8.0, 1.0.0.

1reaction

slorbercommented, Oct 27, 2021

Expo has a good write-up on this: https://blog.expo.dev/ua-parser-js-and-malicious-npm-packages-8c13ee4141a