You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If we determine a specific version of a package is malicious, and the package has adoption and generally was useful, we unpublish the malicious version and publish an advisory to document the malicious content.
That seems to agree with what was done on the issue mentioned above. Should this information be added to the documentation, or is it such a rare case that you do not believe it is valuable to add?
I think the information regarding how npm handles malicious versions of otherwise benign packages could be improved in the documentation here:
https://docs.npmjs.com/reporting-malware-in-an-npm-package#how-npm-security-handles-malware.
Based on this issue for the
ua-parser-js
package it seems like the version got unpublished.Does the npm security team recommend unpublishing? This removes the history and explanation from the npm website.
The text was updated successfully, but these errors were encountered: