CVE-2022-23812: YOUR CODE IS INFECTED WITH MALICIOUS DEPENDENCY - node-ipc

electrode-io / electrode-native

A platform to ease integration&delivery of React Native apps in existing mobile applications

https://native.electrode.io

Other

723 stars 113 forks source link

CVE-2022-23812: YOUR CODE IS INFECTED WITH MALICIOUS DEPENDENCY - node-ipc #1858

Closed lgg closed 2 years ago

lgg commented 2 years ago

Newest version of node-ipc delete all users's files from device. You should not use this dependency anymore!

You can learn more here: https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c

Check possible solution that already applied in vue.js: https://github.com/vuejs/vue-cli/issues/7054#issuecomment-1068677029

also check more here: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

friederbluemle commented 2 years ago

Hi @lgg - Thanks for the heads-up. The version of node-ipc we declare in package.json is ^9.1.4 (locked to 9.2.1 in yarn.lock). Version 9.2.1 is not affected by this exploit. Just to make extra sure, I'll remove the caret and specify version 9.2.1 explicitly to avoid any unintended upgrades in the future to a version that is affected.