Open MidSpike opened 2 years ago
The reason behind calling these "vulnerable to supply-chain attacks" stems from @RIAEvangelist:
authoring the commit behind CVE-2022-23812
publicly stating (citation):
This code serves as a [...] example of why controlling your node modules is important.
Also saying (citation):
[...] damn good sleuthing.
Google defines "sleuthing" as "careful investigation into a crime or mystery"
For the reasons stated above, I believe that any code currently contained in this repository that uses packages maintained by @RIAEvangelist are at risk of a supply-chain attack.
Looking at the
package.json
has led me to the following findings:Originally posted by @MidSpike in https://github.com/MidSpike/node-ipc/issues/3#issuecomment-1075648693