Malicious behavior detected in wicg-inert-3.1.2 package

[rupeshdeotale97]

This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.

Similar issue reported Over wicg-inert-3.1.2 package

[jlczuk]

Someone created PR-197 to address this.

Mend identified this package as being vulnerable because it refers to the old polyfill.io domain, which should no longer be used or referred to.

[VikrantSangwan]

Is this issue resolved I could see the pr (mentioned above) is still in the open state, Should we switch to the wicg-inert-3.1.1 package till this issue persists?

[Eric-Arellano]

Is this issue resolved

It will not be resolved until https://github.com/WICG/inert/pull/197 is merged and the package is re-released with 3.1.1.

[bkardell]

Merged, but just to note: It's a bit of the documentation that had some outdated advice though, not the package/code itself that was problematic.

[CeceliaYu]

the PR is merged, does that mean we can have 3.1.3 released shortly?

[rupeshdeotale97]

@bkardell Any plan to release this change in 3.1.3

[jlczuk]

It would have been nice to remove references to polyfill.io from the README.md and karma.conf.js files too.

[ForkInSpace]

@bkardell Can this now be released on NPM ?