Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
node-ipc package includes peacenotwar as a dependency
See original GitHub issueVersion
5.0.3
Environment info
N/A
Steps to reproduce
Starting a new project from Vue CLI. When the project is run, the file “WITH-LOVE-FROM-AMERICA.txt” appears on the desktop.
What is expected?
No nasty surprises.
What is actually happening?
“WITH-LOVE-FROM-AMERICA.txt” appears on the desktop.
There are a lot of complaints under the node-ipc issue page: https://github.com/RIAEvangelist/node-ipc/issues
I discovered this by finding “WITH-LOVE-FROM-AMERICA.txt” on my desktop.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:6
Top Results From Across the Web
Alert: peacenotwar module sabotages npm developers in the ...
It adds some example source code into the package contents. It adds peacenotwar as a dependency, and runs it when node-ipc is being...
Read more >vx-underground on Twitter: "Node-IPC latest update contains ...
Node -IPC latest update contains the "Peace not war" module which: 1. Wipes the disk of Belarusian and Russian computers 2.
Read more >Dev Sabotages Popular NPM Package to Protest Russian ...
The developer behind the hugely popular npm package “node-ipc” has released sabotaged versions of the library to condemn Russia's invasion of ...
Read more >BIG sabotage: Famous npm package deletes files to protest ...
This week, the developer of the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing ...
Read more >node-ipc NPM Package sabotage to protest Ukraine invasion
“This was the result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of protest by the maintainer of the...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
How can vue-cli be trusted after this? I wouldn’t touch any package downstream to node-ipc with a ten foot pole! As responsible developers you should replace node-ipc with an alternative package. It is only a matter of time before a country does something that the dev does not agree with, and decides to purge all user files from arbitrary countries.
Either vue.js changes this dependency, or I change out vue everywhere.
@rlidwka Well, node-ipc 9.2.1 itself is fine, but we cannot say the same about its transient dependencies, please see https://github.com/vuejs/vue-cli/issues/7051#issuecomment-1072279354 and further comments there.