search

CodeFoodPixels / node-promise-mysql

A wrapper for mysqljs/mysql that wraps function calls with Bluebird promises.
MIT License
338 stars 63 forks source link

security issue? some npm modules are pulled in from "sinopia.nmlv.nml.com" instead of "registry.npmjs.org" #157

Closed Kosta-Github closed 3 years ago

Kosta-Github commented 3 years ago

I am not feeling confident that some npm modules are pulled in from sinopia.nmlv.nml.com:

$ cat package-lock.json | grep sinopia

      "resolved": "https://sinopia.nmlv.nml.com/bignumber.js/-/bignumber.js-9.0.0.tgz",
      "resolved": "https://sinopia.nmlv.nml.com/mysql/-/mysql-2.18.1.tgz",
          "resolved": "https://sinopia.nmlv.nml.com/readable-stream/-/readable-stream-2.3.7.tgz",
      "resolved": "https://sinopia.nmlv.nml.com/sqlstring/-/sqlstring-2.3.1.tgz",

e.g.: https://github.com/CodeFoodPixels/node-promise-mysql/blob/0f980d0772e74db2a830da3e729af9fd8bce4ea0/package-lock.json#L1398

This is the corresponding commit (2 years old): https://github.com/CodeFoodPixels/node-promise-mysql/commit/d04be5ccdf9279200abad8df7b198114e84a8042

all other modules are coming from registry.npmjs.org.

Can you please verify and confirm?

Kosta-Github commented 3 years ago

any updates on this?

CodeFoodPixels commented 3 years ago

Package-lock is ignored for any thing other than the top level (the project using promise-mysql), so it wasn't actually a security issue, but I've updated it anyway.