pazlavi
commented
2 years ago Hi @unusualbob , Thank you for reaching out to us and raising this issue.
We unintentionally used this source. It happens because of a machine's wrong configuration the plugin was released from. We already fixed the configuration, and the upcoming version will point to the official repo.
Hi,
The company I work for was evaluating this repository and we noticed that the package-lock contains dependency references to unofficial mirrors on huaweicloud.com
For example: https://github.com/AppsFlyerSDK/appsflyer-cordova-plugin/blob/d4ca026716f426d966a2a23ec928ed855533b8cb/package-lock.json#L9
It looks that they were pointing at the official location up until a recent rebase at the end of July, here's a previous version of the lock file: https://github.com/AppsFlyerSDK/appsflyer-cordova-plugin/blob/07fe31c25ebc763d740b7f832fc5be6c28d54f09/package-lock.json#L9
Is there a reason for this, or is it unintentional?
Given that dependencies have been a known method of introducing malicious code in the past few years we're concerned that this package is not taking dependency security seriously.