Closed lgg closed 2 years ago
Hi @lgg - Thanks for the heads-up. The version of node-ipc
we declare in package.json
is ^9.1.4
(locked to 9.2.1
in yarn.lock
). Version 9.2.1
is not affected by this exploit. Just to make extra sure, I'll remove the caret and specify version 9.2.1
explicitly to avoid any unintended upgrades in the future to a version that is affected.
Newest version of node-ipc delete all users's files from device. You should not use this dependency anymore!
You can learn more here: https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c
Check possible solution that already applied in vue.js: https://github.com/vuejs/vue-cli/issues/7054#issuecomment-1068677029
also check more here: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/