search

jublo / codebird-php

Easy access to the Twitter REST API, Direct Messages API, Account Activity API, TON (Object Nest) API and Twitter Ads API — all from one PHP library.
https://www.jublo.net/projects/codebird/php
GNU General Public License v3.0
777 stars 237 forks source link

Packagist hack? #270

Open shaneiseminger opened 2 years ago

shaneiseminger commented 2 years ago

Not sure what's happening here, but it doesn't look right.

Composer installs started failing today saying that an existing commit doesn't exist.

We have had this package installed for years:

https://packagist.org/packages/jublonet/codebird-php

I see that the page seems to list active data for the project, but it links to this repo, which is empty but for a single file:

https://github.com/jublonet/codebird-php

If you look a the user who committed the file there, they've made several other commits on other repos of the same or similar file.

dave2309 commented 2 years ago

Same here

mynetx commented 2 years ago

@shaneiseminger @dave2309 Thanks for notifying us about this issue. We’ve updated Packagist to reflect the current GitHub repo URL.

Here’s what happened: We had renamed our GitHub organisation years ago, and there had been an automatic redirect in place, sending users from jublonet to jublo. However now someone created a new GitHub organization called jublonet, clearly with the intention of misleading users and breaking Composer installations of Codebird.

//cc @joshuaatkins

dave2309 commented 2 years ago

@joshuaatkins thanks for your reply. Still packagist is only showing jublonet/codebird-php, instead of jublo/codebird-php Any idea how long that would need to propagate (if necessary)?

mynetx commented 2 years ago

@dave2309 The package should already have the updated source URL from GitHub. I did a test install on a blank folder, and Composer did pick up the correct files for me.

The Packagist package name itself cannot be updated for (similar) security reasons, and the only path for us would be to declare the jublonet/* packages as abandoned and superseded by newly submitted jublo/* packages.

dave2309 commented 2 years ago

@mynetx thanks, working now...

shaneiseminger commented 2 years ago

We had renamed our GitHub organisation years ago, and there had been an automatic redirect in place, sending users from jublonet to jublo. However now someone created a new GitHub organization called jublonet, clearly with the intention of misleading users and breaking Composer installations of Codebird.

Ah, makes sense now. Going to flag the user doing it as s/he/they is clearly trying to do that with a lot of repos and it also clearly opens a huge security hole through which any kind of code could be injected.