search

PaddlePaddle / PaddleNLP

👑 Easy-to-use and powerful NLP and LLM library with 🤗 Awesome model zoo, supporting wide-range of NLP tasks from research to industrial applications, including 🗂Text Classification, 🔍 Neural Search, ❓ Question Answering, ℹ️ Information Extraction, 📄 Document Intelligence, 💌 Sentiment Analysis etc.
https://paddlenlp.readthedocs.io
Apache License 2.0
11.73k stars 2.86k forks source link

Dependency confusion supply-chain vulnerability detected #6657

Open ashishbijlani opened 11 months ago

ashishbijlani commented 11 months ago

问题描述

Hi,

I'm a Cybersecurity researcher developing PackjGuard [1]. Our tool has detected a dependency confusion vulnerability in this repository. In order for me to disclose it, kindly enable GitHub Private vulnerability reporting, which allows security research to responsibly disclose a security vulnerability.

Thanks!

PackjGuard is a Github app that monitors repos for malicious, vulnerable, abandoned, and other "risky" dependencies and mitigates attacks by creating pull requests for automatic remediation https://github.com/marketplace/packjguard

w5688414 commented 2 months ago

Thank you for your advice, We need to have a discussion on it!