Closed kirillgroshkov closed 3 years ago
Thanks for pointing this out. Kind of mystified how this got added, since it's definitely not part of the repo. The person who published the package for v3.2.0 must have accidentally added it.
I've reviewed the package, and there's nothing malicious in it, and we're pinning to a specific version here, so no danger of user
being updated with something malicious. We'll plan on putting out a patch version of the braintree package early next week and alter our release process to catch this next time.
Again, thanks so much for pointing this out to us!
Looks like the person who did the last release had intended to type npm adduser
to log in to the account, but accidentally typed npm add user
(apparently, add
is an alias for install
) and didn't notice that an additional package was added.
We've just released v3.2.1 which removes this dependency and updated our release script to prevent this kind of error in the future.
Thanks again for bringing it to our attention!
Hey guys.
In 3.2.0 you've added an extra dependency
user
which doesn't look very useful to me.Please be careful with what you put on your clients computers ❤️