search

hyva-themes / magento2-checkout-example

A React Checkout template that allows you to quickly create a customized Hyvä Checkout for your project.
11 stars 2 forks source link

heads up: npmjs org(s) and possible dependency confusion #4

Closed DanielRuf closed 2 years ago

DanielRuf commented 2 years ago

Since dependency confusion is a realistic threat I have secured some of the orgs and packages (without further content) as the code uses aliases like @hyva:

grafik

From the readme:

Note that the NPM package @hyva/react-checkout actually does not (yet) exist. It is a Webpack alias pointing to the path vendor/hyva-themes/magento2-hyva-checkout/src/reactapp/src.

Because I know too well from other cases like node-waf (https://www.npmjs.com/package/node-waf, predecessor of node-gyp) and primordials (https://www.npmjs.com/package/primordials, internal nodejs module that was eventually deprecated and removed; see also https://stackoverflow.com/questions/59750976/what-are-primordials-in-node-js) that it can happen, that people install things when they think something is missing but in fact these are aliases or internal packages.

I want to move these orgs to the Hyva team so that noone can abuse them for any other things.

Oh and I own the package hyva-checkout (https://www.npmjs.com/package/hyva-checkout) if this is relevant.

In the future: please try to register orgs that you might want to use in the future.

DanielRuf commented 2 years ago

cc @rajeev-k-tomy not sure if you are already aware of that

rajeev-k-tomy commented 2 years ago

@DanielRuf Awesome Daniel. Vinai will contact you. It is time to give it to the team :)

wigman commented 2 years ago

Really appreciate that @DanielRuf. Thanks for taking action on this.

Vinai commented 2 years ago

@DanielRuf Thanks for registering the scopes so nobody else grabs them. We now would like to use them, especially hyva-themes :)

Our npmjs.com usernames are willemwigman and vinai. Thanks!

PS: also messaged you on Slack and sent an email to the address of your slack user account.

DanielRuf commented 2 years ago

@DanielRuf Thanks for registering the scopes so nobody else grabs them. We now would like to use them, especially hyva-themes :)

Currently I am in vacation so I can not check the emails an slack.

I have sent you both the invitations an made Willem an owner of these three. You can then remove the other accounts from the orgs (me and the bitexpert-tech account).

Bildschirmfoto 2022-04-11 um 13 21 01
DanielRuf commented 2 years ago

@shochdoerfer fyi - not that you are surprised then =)

DanielRuf commented 2 years ago

Closing as resolved. Thanks everyone.