Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Information about how npm handles malicious versions of otherwise benign packages #438

Closed
HallvardMM opened this issue Feb 9, 2023 · 4 comments

Comments

@HallvardMM
Copy link

I think the information regarding how npm handles malicious versions of otherwise benign packages could be improved in the documentation here:
https://docs.npmjs.com/reporting-malware-in-an-npm-package#how-npm-security-handles-malware.

Based on this issue for the ua-parser-js package it seems like the version got unpublished.

Does the npm security team recommend unpublishing? This removes the history and explanation from the npm website.

@MylesBorins
Copy link
Contributor

If we determine a specific version of a package is malicious, and the package has adoption and generally was useful, we unpublish the malicious version and publish an advisory to document the malicious content.

@HallvardMM
Copy link
Author

That seems to agree with what was done on the issue mentioned above. Should this information be added to the documentation, or is it such a rare case that you do not believe it is valuable to add?

@MylesBorins
Copy link
Contributor

For high profile situations we end up making decisions based on a variety of factors, I don't think it makes sense to explicitly document

@HallvardMM
Copy link
Author

Thanks for clarifying 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants