New maintained fork

[jirutka]

Hi @epoberezkin, I see the last commit in this repository is three years ago, and it looks like it’s been unmaintained since then. Would you please consider adding a new maintainer?

I’ve forked ajv-cli and made many improvements and changes (see readme). I’d be happy to contribute it back and maintain it as part of the ajv-validator organisation.

[LunarEclipse363]

Ahh I have been losing my mind over the problems with this, I made a fork myself and fixed the most glaring issues before finding this

Thank you for your work!

[LunarEclipse363]

UPDATE

The package is fine, the 6.0.0-beta.4 version is just buggy when ran with npx.
Version 6.0.0-beta.5 no longer has this issue.

The following ended up being a bug where a javascript file got executed as a bash script due to a missing shebang, running import in bash doing weird things because it's actually an imagemagick command, and the consequences of me doing a dirty shutdown after getting scared by that.

---

original comment for reference

Nevermind running that package seems to have bricked my pc, that sure is a day ruined

I tried to run it with npx, immediately all the mouse/keyboard input on my computer got captured by some overlay (the cursor changed, keybindings to shut down stopped working), I quickly realized something's wrong and force-shutdown my computer, however the root partition has been corrupted in some way and it now fails to boot.

Presumably either the linked package or some dependency contains ransomware or similar.

EDIT: might also be some weird bug Idk, my home directory seems untouched at first glance, no obvious sign of ransomware in any case

[jirutka]

Nevermind running that package seems to have bricked my pc, that sure is a day ruined

Which package, the original ajv-cli or my @jirutka/ajv-cli?

[LunarEclipse363]

Your one, although I just managed to boot the computer from a backup bootloader, granted, programs crash, network doesn't work, and mouse input doesn't work, so something's quite wrong

[jirutka]

npm audit didn’t find any known vulnerability in the dependency graph. If you’re sure it’s somehow related to the package, can you please investigate which dependency has caused it? There might be some new critical vulnerability.

[LunarEclipse363]

From the logs I can dig out something where my window manager logged that its main loop took like 5 seconds for an iteration, and also all input devices disconnecting with libinput getting unloaded.

Nothing particularly interesting in other files modified around that time, and I can't get file access times anymore because I forgot to mount the partition as read-only before running find on it.

I'm now wondering if this is some terrible coincidence but I don't think I was doing anything notable other than running this, will try to investigate the contents of my .npm folder

[LunarEclipse363]

I've uploaded the contents of my ~/.npm here, the last log in there seems to be the relevant one to what was installed with the npx command I ran, and there's all the exact files, not sure how helpful is that but it's a starting point to investigating this further.

I managed to restore my computer into working order by booting a recovery environment and reinstalling all system packages, but I still don't understand what happened, other than when it happened was at the same time as when I was trying out your package.

Thank you for responding so fast by the way, I am not sure what happened but my PC suddenly crashing while installing new software just made me panic.

For reference, neither me nor a few people I asked to take a look found anything suspicious in your package, so this is likely either an issue with some dependency or some issue with my setup that manifested with very unfortunate timing (I couldn't find anything obvious like the drive dying though).

[LunarEclipse363]

I investigated this further in a VM, and I can reproduce it - it looks like the program tries to execute itself as a bash script for some reason? This leads to Weird things happening.

Not sure how related that is to the specific issues I had with my computer afterwards.

It also only "bricks" Xorg, not Wayland, in the "overlay capturing all input" sense.

See this youtube video for a presentation of what happens https://youtu.be/Y14u-9M02T4

[LunarEclipse363]

So the "overlay capturing input but only on xorg" thing was apparently what happens when bash tries to execute import.

And the broken OS was likely just caused by some filesystem damage due to the dirty shutdown.

I am relieved this is just a really weird bug and not anything actually serious 😅

[jirutka]

So the "overlay capturing input but only on xorg" thing was apparently what happens when bash tries to execute import.

This is still a problem; what and why is trying to execute JS script using bash?

I am relieved this is just a really weird bug and not anything actually serious 😅

Me too, I’m currently looking into it and haven’t found anything yet.

[jirutka]

Ahaa, I know where’s the problem! There’s a missing shebang in the compiled main.js.

[jirutka]

I’ve released 6.0.0-beta.5 that fixes this problem.

Thanks for testing it and helping to troubleshoot the bug!

[LunarEclipse363]

npx '@jirutka/ajv-cli@6.0.0-beta.5' works great, thank you!