The Arduino IDE2 repository package.json file references two sub-packages, using the workspaces functionality. Even if these sub-packages are private, their name can be registered online on npmjs.com and any content can be published in it, including malware. If this happens, NPM or Yarn will report that the Arduino IDE2 project contains malware.
Describe the request
The Arduino IDE2 repository
package.jsonfile references two sub-packages, using theworkspacesfunctionality. Even if these sub-packages are private, their name can be registered online on npmjs.com and any content can be published in it, including malware. If this happens, NPM or Yarn will report that the Arduino IDE2 project contains malware.See this reproduction example repo here.
Proposed solution:
arduino-ide-extensionpackage (inside this package.json file) to@arduino/arduino-ide-extensionmaking it scoped.arduino-ide-extensionfolder.Notes:
@arduinoorganization on npmjs.com, so this change should block anybody from publishing again a package containing malware.Arduino IDE version
2.3.2