Closed Kosta-Github closed 3 years ago
I am not feeling confident that some npm modules are pulled in from sinopia.nmlv.nml.com:
sinopia.nmlv.nml.com
$ cat package-lock.json | grep sinopia "resolved": "https://sinopia.nmlv.nml.com/bignumber.js/-/bignumber.js-9.0.0.tgz", "resolved": "https://sinopia.nmlv.nml.com/mysql/-/mysql-2.18.1.tgz", "resolved": "https://sinopia.nmlv.nml.com/readable-stream/-/readable-stream-2.3.7.tgz", "resolved": "https://sinopia.nmlv.nml.com/sqlstring/-/sqlstring-2.3.1.tgz",
e.g.: https://github.com/CodeFoodPixels/node-promise-mysql/blob/0f980d0772e74db2a830da3e729af9fd8bce4ea0/package-lock.json#L1398
This is the corresponding commit (2 years old): https://github.com/CodeFoodPixels/node-promise-mysql/commit/d04be5ccdf9279200abad8df7b198114e84a8042
all other modules are coming from registry.npmjs.org.
registry.npmjs.org
Can you please verify and confirm?
any updates on this?
Package-lock is ignored for any thing other than the top level (the project using promise-mysql), so it wasn't actually a security issue, but I've updated it anyway.
I am not feeling confident that some npm modules are pulled in from
sinopia.nmlv.nml.com
:e.g.: https://github.com/CodeFoodPixels/node-promise-mysql/blob/0f980d0772e74db2a830da3e729af9fd8bce4ea0/package-lock.json#L1398
This is the corresponding commit (2 years old): https://github.com/CodeFoodPixels/node-promise-mysql/commit/d04be5ccdf9279200abad8df7b198114e84a8042
all other modules are coming from
registry.npmjs.org
.Can you please verify and confirm?