Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

cli-shared-utils using a node-ipc version that contains protestware

See original GitHub issue

Version

5.0.1

Environment info

System:
    OS: Windows 10 10.0.19042
    CPU: (12) x64 Intel(R) Core(TM) i7-5930K CPU @ 3.50GHz
  Binaries:
    Node: 12.16.3 - C:\Program Files\nodejs\node.EXE
    Yarn: 1.22.15 - ~\AppData\Roaming\npm\yarn.CMD
    npm: 7.24.1 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Chrome: 98.0.4758.102
    Edge: Spartan (44.19041.1266.0), Chromium (99.0.1150.39)
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1
    @vue/babel-helper-vue-transform-on:  1.0.2
    @vue/babel-plugin-jsx:  1.1.1
    @vue/babel-plugin-transform-vue-jsx:  1.2.1
    @vue/babel-preset-app:  5.0.1
    @vue/babel-preset-jsx:  1.2.4
    @vue/babel-sugar-composition-api-inject-h:  1.2.1
    @vue/babel-sugar-composition-api-render-instance:  1.2.4
    @vue/babel-sugar-functional-vue:  1.2.2
    @vue/babel-sugar-inject-h:  1.2.2
    @vue/babel-sugar-v-model:  1.2.3
    @vue/babel-sugar-v-on:  1.2.3
    @vue/cli-overlay:  5.0.1
    @vue/cli-plugin-babel: ~5.0.0 => 5.0.1
    @vue/cli-plugin-eslint: ~5.0.0 => 5.0.1
    @vue/cli-plugin-router: ~5.0.0 => 5.0.1
    @vue/cli-plugin-vuex:  5.0.1
    @vue/cli-service: ~5.0.0 => 5.0.1
    @vue/cli-shared-utils:  5.0.1
    @vue/component-compiler-utils:  3.3.0
    @vue/web-component-wrapper:  1.3.0
    eslint-plugin-vue: ^8.0.3 => 8.5.0
    vue: ^2.6.14 => 2.6.14
    vue-eslint-parser:  8.3.0
    vue-hot-reload-api:  2.3.4
    vue-loader:  17.0.0 (15.9.8)
    vue-router: ^3.5.1 => 3.5.3
    vue-style-loader:  4.1.3
    vue-template-compiler: ^2.6.14 => 2.6.14
    vue-template-es2015-compiler:  1.9.1

Steps to reproduce

Node-ipc added a new dependency called peacenotwar to the latest version and due to that everytime you do a run serve it creates a war protest file on your desktop. https://github.com/RIAEvangelist/node-ipc/commit/1220522453a0388cb4af1a74fe9a0482b6b3a9f3 https://github.com/RIAEvangelist/peacenotwar

What is expected?

Vue cli cli-shared-utils should use an older node-ipc version

What is actually happening?

It’s using the latest

Issue Analytics

State:
Created 2 years ago
Comments:13 (6 by maintainers)

Top GitHub Comments

20reactions

sodateacommented, Mar 15, 2022

Fixed in 5.0.3 and 4.5.16. Thanks for the report!

6reactions

EJTHcommented, Mar 18, 2022

Why continue using an untrustworthy package from an untrustworthy vendor? node-ipc should be replaced by alternatives.

Top Results From Across the Web

Alert: peacenotwar module sabotages npm developers in the ...

Vue.js users using the dependency “node-ipc” are experiencing a supply chain attack protesting the invasion of Ukraine, from a package named ...

Protestware - How node-ipc turned into malware | LunaTrace

To figure out if you're using node-ipc via a transitive dependency, ... These versions have all been removed at this point once this...

Protestware: “peacenotwar” NPM package ... - Hacker News

Protestware : “peacenotwar” NPM package drops anti-war message on user's desktop ... ...and node-ipc has been version-locked[1] to a previous release by ...

Protestware in support of Ukraine divides the open-source ...

Node-ipc contains malicious code and has been downloaded millions of times. Earlier versions arbitrarily overwrite files with a heart emoji ...

JavaScript library updated to wipe files from Russian computers

Version 9.2.2 has disappeared from the NPM registry along with the destructive 10.1.x versions. Vue.js, for one, brought in node-ipc 9.2.2 ...