search

oxen-io / session-desktop

Session Desktop - Onion routing based messenger
https://getsession.org
GNU General Public License v3.0
1.55k stars 196 forks source link

session private messenger does not consider supply chain attacks yet? #2321

Closed adrelanos closed 1 year ago

adrelanos commented 2 years ago

The copay wallet (hosted by bitpay, a big Bitcoin payment processing company) had backdoor:

If more than 100 BTC, steal it. Otherwise, don’t bother.

sources:

How does session private messenger mitigate such issues supply chain attacks?

adrelanos commented 2 years ago

The dependency chain is quite gigantic.

I am not an NPM expert. Someone I trust sent me the following NPM dependency tree.

Considering the previous backdoor in the dependency chain of copy, it seems quite likely to be that any of the following 500 dependencies might be malicious.

session-desktop@1.8.4 (500 deps, 147.74mb, 40183 files)
├─┬ @reduxjs/toolkit@1.8.1 (6 deps, 12.24mb, 595 files)
│ ├── immer@9.0.14 (844.95kb, 70 files)
│ ├─┬ redux@4.2.0 (2 deps, 369.72kb, 217 files)
│ │ ╰── @babel/runtime@7.17.9 (🔗, 1 dep, 195.31kb, 196 files)
│ ├── redux-thunk@2.4.1 (31.32kb, 12 files)
│ ╰── reselect@4.1.5 (164.98kb, 16 files)
├─┬ abort-controller@3.0.0 (1 dep, 258.96kb, 24 files)
│ ╰── event-target-shim@5.0.1 (184.46kb, 10 files)
├── auto-bind@4.0.0 (6.55kb, 7 files)
├─┬ backbone@1.3.3 (1 dep, 1011.08kb, 509 files)
│ ╰── underscore@1.13.3 (880.37kb, 503 files)
├─┬ better-sqlite3@7.5.0 (9 deps, 9.42mb, 189 files)
│ ├─┬ bindings@1.5.0 (1 dep, 18.85kb, 14 files)
│ │ ╰── file-uri-to-path@1.0.0 (7.88kb, 10 files)
│ ╰─┬ tar@6.1.11 (6 deps, 263.12kb, 63 files)
│   ├── chownr@2.0.0 (5.61kb, 4 files)
│   ├─┬ fs-minipass@2.1.0 (2 deps, 65.07kb, 13 files)
│   │ ╰── minipass@3.1.6 (🔗, 1 dep, 51.31kb, 9 files)
│   ├─┬ minipass@3.1.6 (1 dep, 51.31kb, 9 files)
│   │ ╰── yallist@4.0.0 (🔗, 14.41kb, 5 files)
│   ├─┬ minizlib@2.1.2 (2 deps, 68.21kb, 14 files)
│   │ ├── minipass@3.1.6 (🔗, 1 dep, 51.31kb, 9 files)
│   │ ╰── yallist@4.0.0 (🔗, 14.41kb, 5 files)
│   ├── mkdirp@1.0.4 (18.64kb, 12 files)
│   ╰── yallist@4.0.0 (14.41kb, 5 files)
├── blob-util@2.0.2 (77.18kb, 9 files)
├── blueimp-canvas-to-blob@3.29.0 (14.35kb, 6 files)
├── blueimp-load-image@5.14.0 (172.09kb, 15 files)
├── buffer-crc32@0.2.13 (7.77kb, 4 files)
├─┬ bunyan@1.8.12 (20 deps, 3.55mb, 576 files)
│ ├─┬ dtrace-provider@0.8.8 (1 dep, 494.46kb, 75 files)
│ │ ╰── nan@2.14.2 (🔗, 408.19kb, 46 files)
│ ├─┬ mv@2.1.1 (15 deps, 207.35kb, 113 files)
│ │ ├─┬ mkdirp@0.5.6 (1 dep, 39.93kb, 27 files)
│ │ │ ╰── minimist@1.2.6 (32.42kb, 21 files)
│ │ ├── ncp@2.0.0 (17.55kb, 20 files)
│ │ ╰─┬ rimraf@2.4.5 (11 deps, 139.83kb, 56 files)
│ │   ╰─┬ glob@6.0.4 (10 deps, 128.1kb, 51 files)
│ │     ├── inflight@1.0.6 (🔗, 3 deps, 13.41kb, 16 files)
│ │     ├── inherits@2.0.4 (🔗, 3.87kb, 5 files)
│ │     ├── minimatch@3.1.2 (🔗, 3 deps, 56.41kb, 20 files)
│ │     ├── once@1.4.0 (🔗, 1 dep, 6.84kb, 8 files)
│ │     ╰── path-is-absolute@1.0.1 (🔗, 3.53kb, 4 files)
│ ├── safe-json-stringify@1.2.0 (22.22kb, 9 files)
│ ╰── moment@2.21.0 (🔗, 2.42mb, 362 files)
├─┬ bytebuffer@5.0.1 (1 dep, 1.12mb, 108 files)
│ ╰── long@3.2.0 (192.05kb, 24 files)
├── classnames@2.2.5 (16.57kb, 9 files)
├─┬ color@3.2.1 (6 deps, 125.03kb, 35 files)
│ ├─┬ color-convert@1.9.3 (1 dep, 35.47kb, 14 files)
│ │ ╰── color-name@1.1.3 (9.14kb, 7 files)
│ ╰─┬ color-string@1.9.1 (3 deps, 73.37kb, 17 files)
│   ├── color-name@1.1.4 (6.54kb, 4 files)
│   ╰─┬ simple-swizzle@0.2.2 (1 dep, 56.96kb, 9 files)
│     ╰── is-arrayish@0.3.2 (53.44kb, 5 files)
├─┬ config@1.28.1 (2 deps, 152.52kb, 153 files)
│ ├── json5@0.4.0 (67.68kb, 141 files)
│ ╰── os-homedir@1.0.2 (3.08kb, 4 files)
├── country-code-lookup@0.0.19 (57.79kb, 9 files)
├── curve25519-js@0.0.4 (48.79kb, 8 files)
├── dompurify@2.3.8 (659.9kb, 11 files)
├── electron-is-dev@1.2.0 (3.27kb, 5 files)
├─┬ electron-localshortcut@3.2.1 (5 deps, 85.47kb, 33 files)
│ ├─┬ debug@4.3.4 (1 dep, 48.04kb, 11 files)
│ │ ╰── ms@2.1.2 (6.68kb, 4 files)
│ ├── electron-is-accelerator@0.1.2 (5.7kb, 8 files)
│ ├── keyboardevent-from-electron-accelerator@2.0.0 (10.95kb, 5 files)
│ ╰── keyboardevents-areequal@0.2.2 (3.73kb, 5 files)
├─┬ electron-updater@4.6.5 (18 deps, 1.52mb, 350 files)
│ ├── @types/semver@7.3.9 (22.86kb, 48 files)
│ ├─┬ builder-util-runtime@8.9.2 (3 deps, 259.6kb, 52 files)
│ │ ├── debug@4.3.4 (🔗, 1 dep, 48.04kb, 11 files)
│ │ ╰── sax@1.2.4 (53.31kb, 4 files)
│ ├─┬ fs-extra@10.1.0 (4 deps, 121.85kb, 52 files)
│ │ ├── graceful-fs@4.2.10 (🔗, 31.71kb, 7 files)
│ │ ├── jsonfile@6.1.0 (🔗, 2 deps, 55.53kb, 17 files)
│ │ ╰── universalify@2.0.0 (4.53kb, 4 files)
│ ├─┬ js-yaml@4.1.0 (1 dep, 562.78kb, 40 files)
│ │ ╰── argparse@2.0.1 (167.53kb, 7 files)
│ ├── lazy-val@1.0.5 (2.52kb, 5 files)
│ ├── lodash.escaperegexp@4.1.2 (7.43kb, 4 files)
│ ├── lodash.isequal@4.5.0 (51.44kb, 4 files)
│ ╰─┬ semver@7.3.7 (2 deps, 115.05kb, 60 files)
│   ╰─┬ lru-cache@6.0.0 (1 dep, 29.68kb, 9 files)
│     ╰── yallist@4.0.0 (🔗, 14.41kb, 5 files)
├─┬ emoji-mart@2.11.2 (5 deps, 3.65mb, 149 files)
│ ╰─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│   ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│   ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│   ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
├── filesize@3.6.1 (14.47kb, 5 files)
├── firstline@1.2.1 (291.73kb, 9 files)
├─┬ fs-extra@9.0.0 (5 deps, 188.59kb, 58 files)
│ ├── at-least-node@1.0.0 (2.56kb, 4 files)
│ ├── graceful-fs@4.2.10 (31.71kb, 7 files)
│ ├─┬ jsonfile@6.1.0 (2 deps, 55.53kb, 17 files)
│ │ ├── universalify@2.0.0 (4.53kb, 4 files)
│ │ ╰── graceful-fs@4.2.10 (🔗, 31.71kb, 7 files)
│ ╰── universalify@1.0.0 (4.52kb, 4 files)
├─┬ glob@7.1.2 (11 deps, 144.5kb, 57 files)
│ ├── fs.realpath@1.0.0 (13.12kb, 5 files)
│ ├─┬ inflight@1.0.6 (3 deps, 13.41kb, 16 files)
│ │ ├── once@1.4.0 (🔗, 1 dep, 6.84kb, 8 files)
│ │ ╰── wrappy@1.0.2 (2.89kb, 4 files)
│ ├── inherits@2.0.4 (3.87kb, 5 files)
│ ├─┬ minimatch@3.1.2 (3 deps, 56.41kb, 20 files)
│ │ ╰─┬ brace-expansion@1.1.11 (2 deps, 22.32kb, 16 files)
│ │   ├── balanced-match@1.0.2 (6.78kb, 5 files)
│ │   ╰── concat-map@0.0.1 (4.75kb, 7 files)
│ ├─┬ once@1.4.0 (1 dep, 6.84kb, 8 files)
│ │ ╰── wrappy@1.0.2 (2.89kb, 4 files)
│ ╰── path-is-absolute@1.0.1 (3.53kb, 4 files)
├─┬ image-type@4.1.0 (1 dep, 41.47kb, 10 files)
│ ╰── file-type@10.11.0 (34.48kb, 5 files)
├─┬ ip2country@1.0.1 (15 deps, 5.24mb, 125 files)
│ ╰─┬ asbycountry@1.4.2 (14 deps, 1.62mb, 110 files)
│   ├── chalk@1.1.3 (🔗, 7 deps, 36.69kb, 32 files)
│   ╰─┬ fetch@1.1.0 (5 deps, 867.69kb, 72 files)
│     ├─┬ biskviit@1.0.1 (1 dep, 447.89kb, 17 files)
│     │ ╰── psl@1.8.0 (🔗, 422.87kb, 8 files)
│     ╰─┬ encoding@0.1.12 (2 deps, 378.65kb, 41 files)
│       ╰─┬ iconv-lite@0.4.24 (1 dep, 369.38kb, 33 files)
│         ╰── safer-buffer@2.1.2 (🔗, 41.31kb, 7 files)
├── jquery@3.3.1 (1.2mb, 123 files)
├── jsbn@1.1.0 (45.82kb, 9 files)
├─┬ libsodium-wrappers-sumo@0.7.10 (1 dep, 772.57kb, 8 files)
│ ╰── libsodium-sumo@0.7.10 (681.01kb, 4 files)
├─┬ linkify-it@3.0.2 (1 dep, 40.66kb, 16 files)
│ ╰── uc.micro@1.0.6 (5.59kb, 10 files)
├── lodash@4.17.11 (1.33mb, 1049 files)
├── long@4.0.0 (172.51kb, 7 files)
├─┬ mic-recorder-to-mp3@2.2.2 (2 deps, 8.69mb, 169 files)
│ ╰─┬ lamejs@1.2.1 (1 dep, 6.16mb, 160 files)
│   ╰── use-strict@1.0.1 (4.16kb, 14 files)
├── moment@2.21.0 (2.42mb, 362 files)
├── mustache@2.3.0 (68.22kb, 17 files)
├── nan@2.14.2 (408.19kb, 46 files)
├── node-fetch@2.3.0 (149.02kb, 8 files)
├─┬ node-sass@6.0.1 (214 deps, 11.85mb, 3297 files)
│ ├── async-foreach@0.1.3 (17.64kb, 8 files)
│ ├─┬ chalk@1.1.3 (7 deps, 36.69kb, 32 files)
│ │ ├── ansi-styles@2.2.1 (4.61kb, 4 files)
│ │ ├── escape-string-regexp@1.0.5 (2.63kb, 4 files)
│ │ ├─┬ has-ansi@2.0.0 (1 dep, 7.12kb, 8 files)
│ │ │ ╰── ansi-regex@2.1.1 (4.09kb, 4 files)
│ │ ├─┬ strip-ansi@3.0.1 (1 dep, 7.13kb, 8 files)
│ │ │ ╰── ansi-regex@2.1.1 (4.09kb, 4 files)
│ │ ╰── supports-color@2.0.0 (3.66kb, 4 files)
│ ├─┬ cross-spawn@7.0.3 (5 deps, 50.85kb, 38 files)
│ │ ├── path-key@3.1.1 (4.45kb, 5 files)
│ │ ├─┬ shebang-command@2.0.0 (1 dep, 5.26kb, 9 files)
│ │ │ ╰── shebang-regex@3.0.0 (2.76kb, 5 files)
│ │ ╰─┬ which@2.0.2 (1 dep, 20.44kb, 14 files)
│ │   ╰── isexe@2.0.0 (10.7kb, 8 files)
│ ├─┬ gaze@1.1.3 (15 deps, 1.56mb, 1124 files)
│ │ ╰─┬ globule@1.3.3 (14 deps, 1.54mb, 1119 files)
│ │   ├── glob@7.1.2 (🔗, 11 deps, 144.5kb, 57 files)
│ │   ├── lodash@4.17.21 (🔗, 1.35mb, 1054 files)
│ │   ╰─┬ minimatch@3.0.8 (3 deps, 56.17kb, 20 files)
│ │     ╰── brace-expansion@1.1.11 (🔗, 2 deps, 22.32kb, 16 files)
│ ├── get-stdin@4.0.1 (1.89kb, 3 files)
│ ├── glob@7.1.2 (🔗, 11 deps, 144.5kb, 57 files)
│ ├── lodash@4.17.21 (1.35mb, 1054 files)
│ ├─┬ meow@9.0.0 (67 deps, 1.18mb, 560 files)
│ │ ├── @types/minimist@1.2.2 (6.56kb, 4 files)
│ │ ├─┬ camelcase-keys@6.2.2 (3 deps, 32.49kb, 20 files)
│ │ │ ├── camelcase@5.3.1 (7.27kb, 5 files)
│ │ │ ├── map-obj@4.3.0 (9.27kb, 5 files)
│ │ │ ╰── quick-lru@4.0.1 (7.29kb, 5 files)
│ │ ├── decamelize@1.2.0 (2.87kb, 4 files)
│ │ ├─┬ decamelize-keys@1.1.0 (2 deps, 9.21kb, 12 files)
│ │ │ ├── decamelize@1.2.0 (🔗, 2.87kb, 4 files)
│ │ │ ╰── map-obj@1.0.1 (2.46kb, 4 files)
│ │ ├── hard-rejection@2.1.0 (5.02kb, 6 files)
│ │ ├─┬ minimist-options@4.1.0 (3 deps, 35.45kb, 18 files)
│ │ │ ├── arrify@1.0.1 (2.28kb, 4 files)
│ │ │ ├── is-plain-obj@1.1.0 (2.55kb, 4 files)
│ │ │ ╰── kind-of@6.0.3 (22.29kb, 5 files)
│ │ ├─┬ normalize-package-data@3.0.3 (13 deps, 290.88kb, 129 files)
│ │ │ ├─┬ hosted-git-info@4.1.0 (2 deps, 53.51kb, 15 files)
│ │ │ │ ╰── lru-cache@6.0.0 (🔗, 1 dep, 29.68kb, 9 files)
│ │ │ ├─┬ is-core-module@2.9.0 (2 deps, 53.49kb, 26 files)
│ │ │ │ ╰─┬ has@1.0.3 (1 dep, 27.27kb, 17 files)
│ │ │ │   ╰── function-bind@1.1.1 (24.56kb, 12 files)
│ │ │ ├── semver@7.3.7 (🔗, 2 deps, 115.05kb, 60 files)
│ │ │ ╰─┬ validate-npm-package-license@3.0.4 (5 deps, 71.27kb, 26 files)
│ │ │   ├─┬ spdx-correct@3.1.1 (4 deps, 55.06kb, 22 files)
│ │ │   │ ├── spdx-expression-parse@3.0.1 (🔗, 2 deps, 23.68kb, 14 files)
│ │ │   │ ╰── spdx-license-ids@3.0.11 (9.51kb, 4 files)
│ │ │   ╰─┬ spdx-expression-parse@3.0.1 (2 deps, 23.68kb, 14 files)
│ │ │     ├── spdx-exceptions@2.3.0 (2.6kb, 3 files)
│ │ │     ╰── spdx-license-ids@3.0.11 (9.51kb, 4 files)
│ │ ├─┬ read-pkg-up@7.0.1 (41 deps, 689.6kb, 349 files)
│ │ │ ├─┬ find-up@4.1.0 (5 deps, 40.2kb, 30 files)
│ │ │ │ ├─┬ locate-path@5.0.0 (3 deps, 25.03kb, 20 files)
│ │ │ │ │ ╰─┬ p-locate@4.1.0 (2 deps, 18.6kb, 15 files)
│ │ │ │ │   ╰─┬ p-limit@2.3.0 (1 dep, 11.49kb, 10 files)
│ │ │ │ │     ╰── p-try@2.2.0 (4.27kb, 5 files)
│ │ │ │ ╰── path-exists@4.0.0 (3.83kb, 5 files)
│ │ │ ├─┬ read-pkg@5.2.0 (33 deps, 586.25kb, 295 files)
│ │ │ │ ├── @types/normalize-package-data@2.4.1 (6.14kb, 4 files)
│ │ │ │ ├─┬ normalize-package-data@2.5.0 (14 deps, 383.82kb, 188 files)
│ │ │ │ │ ├── hosted-git-info@2.8.9 (25.21kb, 7 files)
│ │ │ │ │ ├─┬ resolve@1.22.0 (5 deps, 207.45kb, 138 files)
│ │ │ │ │ │ ├── is-core-module@2.9.0 (🔗, 2 deps, 53.49kb, 26 files)
│ │ │ │ │ │ ├── path-parse@1.0.7 (4.41kb, 4 files)
│ │ │ │ │ │ ╰── supports-preserve-symlinks-flag@1.0.0 (8.96kb, 10 files)
│ │ │ │ │ ├── semver@5.4.1 (🔗, 53.87kb, 6 files)
│ │ │ │ │ ╰── validate-npm-package-license@3.0.4 (🔗, 5 deps, 71.27kb, 26 files)
│ │ │ │ ├─┬ parse-json@5.2.0 (15 deps, 161.45kb, 84 files)
│ │ │ │ │ ├── @babel/code-frame@7.16.7 (🔗, 10 deps, 127.95kb, 58 files)
│ │ │ │ │ ├─┬ error-ex@1.3.2 (1 dep, 12.78kb, 12 files)
│ │ │ │ │ │ ╰── is-arrayish@0.2.1 (3.96kb, 8 files)
│ │ │ │ │ ├── json-parse-even-better-errors@2.3.1 (10.18kb, 5 files)
│ │ │ │ │ ╰── lines-and-columns@1.2.4 (5.26kb, 5 files)
│ │ │ │ ╰── type-fest@0.6.0 (28.93kb, 14 files)
│ │ │ ╰── type-fest@0.8.1 (56.59kb, 19 files)
│ │ ├─┬ redent@3.0.0 (3 deps, 13.94kb, 19 files)
│ │ │ ├── indent-string@4.0.0 (4.29kb, 5 files)
│ │ │ ╰─┬ strip-indent@3.0.0 (1 dep, 6.13kb, 9 files)
│ │ │   ╰── min-indent@1.0.1 (2.9kb, 4 files)
│ │ ├── trim-newlines@3.0.1 (3.76kb, 5 files)
│ │ ├── type-fest@0.18.1 (99.63kb, 34 files)
│ │ ╰── yargs-parser@20.2.9 (121.5kb, 11 files)
│ ├── nan@2.14.2 (🔗, 408.19kb, 46 files)
│ ├─┬ node-gyp@7.1.2 (104 deps, 6.45mb, 1086 files)
│ │ ├── env-paths@2.2.1 (9.92kb, 5 files)
│ │ ├─┬ glob@7.2.2 (11 deps, 144.1kb, 56 files)
│ │ │ ├── fs.realpath@1.0.0 (🔗, 13.12kb, 5 files)
│ │ │ ├── inflight@1.0.6 (🔗, 3 deps, 13.41kb, 16 files)
│ │ │ ├── inherits@2.0.4 (🔗, 3.87kb, 5 files)
│ │ │ ├── minimatch@3.1.2 (🔗, 3 deps, 56.41kb, 20 files)
│ │ │ ├── once@1.4.0 (🔗, 1 dep, 6.84kb, 8 files)
│ │ │ ╰── path-is-absolute@1.0.1 (🔗, 3.53kb, 4 files)
│ │ ├── graceful-fs@4.2.10 (🔗, 31.71kb, 7 files)
│ │ ├─┬ nopt@5.0.0 (1 dep, 29.9kb, 10 files)
│ │ │ ╰── abbrev@1.1.1 (4.67kb, 4 files)
│ │ ├── npmlog@4.1.2 (🔗, 29 deps, 358.48kb, 182 files)
│ │ ├── request@2.88.2 (🔗, 46 deps, 3.66mb, 566 files)
│ │ ├─┬ rimraf@3.0.2 (12 deps, 161.02kb, 62 files)
│ │ │ ╰── glob@7.2.2 (🔗, 11 deps, 144.1kb, 56 files)
│ │ ├── semver@7.3.7 (🔗, 2 deps, 115.05kb, 60 files)
│ │ ├── tar@6.1.11 (🔗, 6 deps, 263.12kb, 63 files)
│ │ ╰─┬ which@2.0.2 (1 dep, 20.44kb, 14 files)
│ │   ╰── isexe@2.0.0 (10.7kb, 8 files)
│ ├─┬ npmlog@4.1.2 (29 deps, 358.48kb, 182 files)
│ │ ├─┬ are-we-there-yet@1.1.7 (9 deps, 174.12kb, 78 files)
│ │ │ ├── delegates@1.0.0 (7.28kb, 8 files)
│ │ │ ╰── readable-stream@2.3.7 (🔗, 7 deps, 152.52kb, 61 files)
│ │ ├── console-control-strings@1.1.0 (12.37kb, 5 files)
│ │ ├─┬ gauge@2.7.4 (17 deps, 163.23kb, 94 files)
│ │ │ ├── aproba@1.2.0 (7.99kb, 4 files)
│ │ │ ├── console-control-strings@1.1.0 (🔗, 12.37kb, 5 files)
│ │ │ ├── has-unicode@2.0.1 (3.36kb, 4 files)
│ │ │ ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│ │ │ ├── signal-exit@3.0.7 (🔗, 9.72kb, 5 files)
│ │ │ ├─┬ string-width@1.0.2 (5 deps, 20.42kb, 24 files)
│ │ │ │ ├── code-point-at@1.1.0 (2.92kb, 4 files)
│ │ │ │ ├─┬ is-fullwidth-code-point@1.0.0 (1 dep, 6.44kb, 8 files)
│ │ │ │ │ ╰── number-is-nan@1.0.1 (2.29kb, 4 files)
│ │ │ │ ╰── strip-ansi@3.0.1 (🔗, 1 dep, 7.13kb, 8 files)
│ │ │ ├── strip-ansi@3.0.1 (🔗, 1 dep, 7.13kb, 8 files)
│ │ │ ╰─┬ wide-align@1.1.5 (5 deps, 56.85kb, 29 files)
│ │ │   ╰── string-width@3.1.0 (🔗, 4 deps, 52.49kb, 25 files)
│ │ ╰── set-blocking@2.0.0 (4.13kb, 5 files)
│ ├─┬ request@2.88.2 (46 deps, 3.66mb, 566 files)
│ │ ├── aws-sign2@0.7.0 (13.85kb, 4 files)
│ │ ├── aws4@1.11.0 (21.76kb, 7 files)
│ │ ├── caseless@0.12.0 (13.92kb, 5 files)
│ │ ├─┬ combined-stream@1.0.8 (1 dep, 19.08kb, 11 files)
│ │ │ ╰── delayed-stream@1.0.0 (7.83kb, 6 files)
│ │ ├── extend@3.0.2 (22.91kb, 10 files)
│ │ ├── forever-agent@0.6.1 (13.68kb, 4 files)
│ │ ├─┬ form-data@2.3.3 (5 deps, 380.8kb, 50 files)
│ │ │ ├── asynckit@0.4.0 (26.72kb, 20 files)
│ │ │ ├── combined-stream@1.0.8 (🔗, 1 dep, 19.08kb, 11 files)
│ │ │ ╰── mime-types@2.1.35 (🔗, 1 dep, 218.57kb, 11 files)
│ │ ├─┬ har-validator@5.1.5 (7 deps, 1.43mb, 209 files)
│ │ │ ├─┬ ajv@6.12.6 (5 deps, 1.41mb, 181 files)
│ │ │ │ ├── fast-deep-equal@3.1.3 (🔗, 12.66kb, 11 files)
│ │ │ │ ├── fast-json-stable-stringify@2.1.0 (16.56kb, 18 files)
│ │ │ │ ├── json-schema-traverse@0.4.1 (19.11kb, 9 files)
│ │ │ │ ╰─┬ uri-js@4.4.1 (1 dep, 490.54kb, 51 files)
│ │ │ │   ╰── punycode@2.1.1 (🔗, 31.67kb, 5 files)
│ │ │ ╰── har-schema@2.0.0 (14.75kb, 22 files)
│ │ ├─┬ http-signature@1.2.0 (15 deps, 834.49kb, 149 files)
│ │ │ ├── assert-plus@1.0.0 (11.17kb, 5 files)
│ │ │ ├─┬ jsprim@1.4.2 (5 deps, 147.01kb, 38 files)
│ │ │ │ ├── assert-plus@1.0.0 (🔗, 11.17kb, 5 files)
│ │ │ │ ├── extsprintf@1.3.0 (22.27kb, 9 files)
│ │ │ │ ├── json-schema@0.4.0 (25.47kb, 5 files)
│ │ │ │ ╰─┬ verror@1.10.0 (3 deps, 91.09kb, 27 files)
│ │ │ │   ├── assert-plus@1.0.0 (🔗, 11.17kb, 5 files)
│ │ │ │   ├── core-util-is@1.0.2 (22.65kb, 6 files)
│ │ │ │   ╰── extsprintf@1.3.0 (🔗, 22.27kb, 9 files)
│ │ │ ╰─┬ sshpk@1.17.0 (9 deps, 651.37kb, 104 files)
│ │ │   ├─┬ asn1@0.2.6 (1 dep, 60.6kb, 17 files)
│ │ │   │ ╰── safer-buffer@2.1.2 (🔗, 41.31kb, 7 files)
│ │ │   ├── assert-plus@1.0.0 (🔗, 11.17kb, 5 files)
│ │ │   ├─┬ dashdash@1.14.1 (1 dep, 89.92kb, 11 files)
│ │ │   │ ╰── assert-plus@1.0.0 (🔗, 11.17kb, 5 files)
│ │ │   ├─┬ getpass@0.1.7 (1 dep, 16.71kb, 11 files)
│ │ │   │ ╰── assert-plus@1.0.0 (🔗, 11.17kb, 5 files)
│ │ │   ├── safer-buffer@2.1.2 (41.31kb, 7 files)
│ │ │   ├── jsbn@0.1.1 (44.77kb, 7 files)
│ │ │   ├── tweetnacl@0.14.5 (169.97kb, 12 files)
│ │ │   ├─┬ ecc-jsbn@0.1.2 (2 deps, 113.22kb, 24 files)
│ │ │   │ ├── jsbn@0.1.1 (🔗, 44.77kb, 7 files)
│ │ │   │ ╰── safer-buffer@2.1.2 (🔗, 41.31kb, 7 files)
│ │ │   ╰─┬ bcrypt-pbkdf@1.0.2 (1 dep, 198.28kb, 17 files)
│ │ │     ╰── tweetnacl@0.14.5 (🔗, 169.97kb, 12 files)
│ │ ├── is-typedarray@1.0.0 (4.3kb, 5 files)
│ │ ├── isstream@0.1.2 (13kb, 8 files)
│ │ ├── json-stringify-safe@5.0.1 (12.42kb, 9 files)
│ │ ├─┬ mime-types@2.1.35 (1 dep, 218.57kb, 11 files)
│ │ │ ╰── mime-db@1.52.0 (200.72kb, 6 files)
│ │ ├── oauth-sign@0.9.0 (13.48kb, 4 files)
│ │ ├── performance-now@2.1.0 (11.08kb, 17 files)
│ │ ├── qs@6.5.3 (122.71kb, 20 files)
│ │ ├── safe-buffer@5.2.1 (31.35kb, 5 files)
│ │ ├─┬ tough-cookie@2.5.0 (2 deps, 539.16kb, 23 files)
│ │ │ ├── psl@1.8.0 (422.87kb, 8 files)
│ │ │ ╰── punycode@2.1.1 (31.67kb, 5 files)
│ │ ├─┬ tunnel-agent@0.6.0 (1 dep, 47.64kb, 9 files)
│ │ │ ╰── safe-buffer@5.2.1 (🔗, 31.35kb, 5 files)
│ │ ╰── uuid@3.3.2 (🔗, 42.58kb, 21 files)
│ ├─┬ sass-graph@2.2.5 (45 deps, 2.17mb, 1337 files)
│ │ ├── glob@7.1.2 (🔗, 11 deps, 144.5kb, 57 files)
│ │ ├── lodash@4.17.21 (🔗, 1.35mb, 1054 files)
│ │ ├─┬ scss-tokenizer@0.2.3 (3 deps, 197.91kb, 43 files)
│ │ │ ├── js-base64@2.6.4 (18.52kb, 5 files)
│ │ │ ╰─┬ source-map@0.4.4 (1 dep, 143.32kb, 27 files)
│ │ │   ╰── amdefine@1.0.1 (19.96kb, 5 files)
│ │ ╰─┬ yargs@13.3.2 (27 deps, 486.95kb, 177 files)
│ │   ├─┬ cliui@5.0.0 (11 deps, 130.09kb, 61 files)
│ │   │ ├── string-width@3.1.0 (🔗, 4 deps, 52.49kb, 25 files)
│ │   │ ├─┬ strip-ansi@5.2.0 (1 dep, 9.12kb, 9 files)
│ │   │ │ ╰── ansi-regex@4.1.1 (5.05kb, 4 files)
│ │   │ ╰─┬ wrap-ansi@5.1.0 (8 deps, 106.51kb, 47 files)
│ │   │   ├─┬ ansi-styles@3.2.1 (2 deps, 44.62kb, 18 files)
│ │   │   │ ╰── color-convert@1.9.3 (🔗, 1 dep, 35.47kb, 14 files)
│ │   │   ├── string-width@3.1.0 (🔗, 4 deps, 52.49kb, 25 files)
│ │   │   ╰── strip-ansi@5.2.0 (🔗, 1 dep, 9.12kb, 9 files)
│ │   ├─┬ find-up@3.0.0 (5 deps, 28.17kb, 26 files)
│ │   │ ╰─┬ locate-path@3.0.0 (4 deps, 23.44kb, 22 files)
│ │   │   ├─┬ p-locate@3.0.0 (2 deps, 16.42kb, 14 files)
│ │   │   │ ╰─┬ p-limit@2.3.0 (1 dep, 11.49kb, 10 files)
│ │   │   │   ╰── p-try@2.2.0 (4.27kb, 5 files)
│ │   │   ╰── path-exists@3.0.0 (3.24kb, 4 files)
│ │   ├── get-caller-file@2.0.5 (4.61kb, 6 files)
│ │   ├── require-directory@2.1.1 (11.79kb, 7 files)
│ │   ├── require-main-filename@2.0.0 (3.84kb, 5 files)
│ │   ├── set-blocking@2.0.0 (🔗, 4.13kb, 5 files)
│ │   ├─┬ string-width@3.1.0 (4 deps, 52.49kb, 25 files)
│ │   │ ├── emoji-regex@7.0.3 (35.41kb, 8 files)
│ │   │ ├── is-fullwidth-code-point@2.0.0 (4.04kb, 4 files)
│ │   │ ╰─┬ strip-ansi@5.2.0 (1 dep, 9.12kb, 9 files)
│ │   │   ╰── ansi-regex@4.1.1 (5.05kb, 4 files)
│ │   ├── which-module@2.0.0 (4.47kb, 5 files)
│ │   ├── y18n@4.0.3 (10.73kb, 5 files)
│ │   ╰─┬ yargs-parser@13.1.2 (2 deps, 65.92kb, 15 files)
│ │     ├── camelcase@5.3.1 (🔗, 7.27kb, 5 files)
│ │     ╰── decamelize@1.2.0 (🔗, 2.87kb, 4 files)
│ ├─┬ stdout-stream@1.4.1 (8 deps, 156.89kb, 69 files)
│ │ ╰─┬ readable-stream@2.3.7 (7 deps, 152.52kb, 61 files)
│ │   ├── core-util-is@1.0.3 (4.87kb, 4 files)
│ │   ├── inherits@2.0.4 (🔗, 3.87kb, 5 files)
│ │   ├── isarray@1.0.0 (3.79kb, 8 files)
│ │   ├── process-nextick-args@2.0.1 (3.1kb, 4 files)
│ │   ├── safe-buffer@5.1.2 (30.94kb, 5 files)
│ │   ├─┬ string_decoder@1.1.1 (1 dep, 45.88kb, 10 files)
│ │   │ ╰── safe-buffer@5.1.2 (🔗, 30.94kb, 5 files)
│ │   ╰── util-deprecate@1.0.2 (5.35kb, 6 files)
│ ╰─┬ true-case-path@1.0.3 (12 deps, 159.87kb, 61 files)
│   ╰── glob@7.1.2 (🔗, 11 deps, 144.5kb, 57 files)
├─┬ os-locale@2.1.0 (20 deps, 152.79kb, 105 files)
│ ├─┬ execa@0.7.0 (15 deps, 131.29kb, 85 files)
│ │ ├─┬ cross-spawn@5.1.0 (7 deps, 79.81kb, 49 files)
│ │ │ ├─┬ lru-cache@4.1.5 (2 deps, 38.72kb, 15 files)
│ │ │ │ ├── pseudomap@1.0.2 (8.02kb, 6 files)
│ │ │ │ ╰── yallist@2.1.2 (13.28kb, 5 files)
│ │ │ ├─┬ shebang-command@1.2.0 (1 dep, 4.87kb, 8 files)
│ │ │ │ ╰── shebang-regex@1.0.0 (2.25kb, 4 files)
│ │ │ ╰─┬ which@1.3.1 (1 dep, 19.9kb, 14 files)
│ │ │   ╰── isexe@2.0.0 (🔗, 10.7kb, 8 files)
│ │ ├── get-stream@3.0.0 (7.7kb, 5 files)
│ │ ├── is-stream@1.1.0 (3.16kb, 4 files)
│ │ ├─┬ npm-run-path@2.0.2 (1 dep, 7.37kb, 8 files)
│ │ │ ╰── path-key@2.0.1 (2.95kb, 4 files)
│ │ ├── p-finally@1.0.0 (3.04kb, 4 files)
│ │ ├── signal-exit@3.0.7 (9.72kb, 5 files)
│ │ ╰── strip-eof@1.0.0 (2.58kb, 4 files)
│ ├─┬ lcid@1.0.0 (1 dep, 7.56kb, 8 files)
│ │ ╰── invert-kv@1.0.0 (1.27kb, 3 files)
│ ╰─┬ mem@1.1.0 (1 dep, 8.83kb, 8 files)
│   ╰── mimic-fn@1.2.0 (2.98kb, 4 files)
├─┬ p-retry@4.6.2 (2 deps, 36.66kb, 17 files)
│ ├── @types/retry@0.12.0 (7.47kb, 4 files)
│ ╰── retry@0.13.1 (18.41kb, 8 files)
├── pify@3.0.0 (6.88kb, 4 files)
├─┬ protobufjs@6.11.2 (13 deps, 7.6mb, 448 files)
│ ├── @protobufjs/aspromise@1.1.2 (8.84kb, 6 files)
│ ├── @protobufjs/base64@1.1.2 (9.01kb, 6 files)
│ ├── @protobufjs/codegen@2.0.4 (8.92kb, 6 files)
│ ├── @protobufjs/eventemitter@1.1.0 (7.57kb, 6 files)
│ ├─┬ @protobufjs/fetch@1.1.0 (2 deps, 21.59kb, 23 files)
│ │ ├── @protobufjs/aspromise@1.1.2 (🔗, 8.84kb, 6 files)
│ │ ╰── @protobufjs/inquire@1.1.0 (🔗, 4.19kb, 11 files)
│ ├── @protobufjs/float@1.0.2 (26.34kb, 8 files)
│ ├── @protobufjs/inquire@1.1.0 (4.19kb, 11 files)
│ ├── @protobufjs/path@1.1.2 (7.59kb, 6 files)
│ ├── @protobufjs/pool@1.1.0 (6.1kb, 7 files)
│ ├── @protobufjs/utf8@1.1.0 (22.95kb, 8 files)
│ ├── @types/long@4.0.2 (12.95kb, 4 files)
│ ├── @types/node@17.0.33 (1.6mb, 59 files)
│ ╰── long@4.0.0 (🔗, 172.51kb, 7 files)
├─┬ rc-slider@8.7.1 (26 deps, 5.03mb, 2086 files)
│ ├─┬ babel-runtime@6.26.0 (2 deps, 2.23mb, 1736 files)
│ │ ├── core-js@2.6.12 (2.16mb, 1489 files)
│ │ ╰── regenerator-runtime@0.11.1 (26.1kb, 5 files)
│ ├── classnames@2.2.5 (🔗, 16.57kb, 9 files)
│ ├─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│ │ ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│ │ ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│ │ ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ ├─┬ rc-tooltip@3.7.3 (22 deps, 3.84mb, 2028 files)
│ │ ├── babel-runtime@6.26.0 (🔗, 2 deps, 2.23mb, 1736 files)
│ │ ├── prop-types@15.8.1 (🔗, 4 deps, 141.47kb, 38 files)
│ │ ╰─┬ rc-trigger@2.6.5 (21 deps, 3.19mb, 2011 files)
│ │   ├── babel-runtime@6.26.0 (🔗, 2 deps, 2.23mb, 1736 files)
│ │   ├── classnames@2.3.1 (17.29kb, 10 files)
│ │   ├── prop-types@15.8.1 (🔗, 4 deps, 141.47kb, 38 files)
│ │   ├─┬ rc-align@2.4.5 (13 deps, 2.84mb, 1914 files)
│ │   │ ├── babel-runtime@6.26.0 (🔗, 2 deps, 2.23mb, 1736 files)
│ │   │ ├── dom-align@1.12.3 (247.42kb, 8 files)
│ │   │ ├── prop-types@15.8.1 (🔗, 4 deps, 141.47kb, 38 files)
│ │   │ ╰── rc-util@4.21.1 (🔗, 8 deps, 355.39kb, 160 files)
│ │   ├─┬ rc-animate@2.11.1 (18 deps, 2.84mb, 1976 files)
│ │   │ ├── babel-runtime@6.26.0 (🔗, 2 deps, 2.23mb, 1736 files)
│ │   │ ├── classnames@2.3.1 (🔗, 17.29kb, 10 files)
│ │   │ ├─┬ css-animation@1.6.1 (5 deps, 2.37mb, 1762 files)
│ │   │ │ ├── babel-runtime@6.26.0 (🔗, 2 deps, 2.23mb, 1736 files)
│ │   │ │ ╰─┬ component-classes@1.2.6 (1 dep, 120.82kb, 18 files)
│ │   │ │   ╰── component-indexof@0.0.3 (114.08kb, 11 files)
│ │   │ ├── prop-types@15.8.1 (🔗, 4 deps, 141.47kb, 38 files)
│ │   │ ├─┬ raf@3.4.1 (1 dep, 18.99kb, 24 files)
│ │   │ │ ╰── performance-now@2.1.0 (🔗, 11.08kb, 17 files)
│ │   │ ├── rc-util@4.21.1 (🔗, 8 deps, 355.39kb, 160 files)
│ │   │ ╰── react-lifecycles-compat@3.0.4 (🔗, 28.34kb, 8 files)
│ │   ├── rc-util@4.21.1 (🔗, 8 deps, 355.39kb, 160 files)
│ │   ╰── react-lifecycles-compat@3.0.4 (🔗, 28.34kb, 8 files)
│ ├─┬ rc-util@4.21.1 (8 deps, 355.39kb, 160 files)
│ │ ├─┬ add-dom-event-listener@1.1.0 (1 dep, 19.35kb, 10 files)
│ │ │ ╰── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│ │ ├── prop-types@15.8.1 (🔗, 4 deps, 141.47kb, 38 files)
│ │ ├── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ │ ├── react-lifecycles-compat@3.0.4 (🔗, 28.34kb, 8 files)
│ │ ╰── shallowequal@1.1.0 (🔗, 7.17kb, 6 files)
│ ├── react-lifecycles-compat@3.0.4 (28.34kb, 8 files)
│ ├── shallowequal@1.1.0 (7.17kb, 6 files)
│ ╰─┬ warning@4.0.3 (2 deps, 29.64kb, 18 files)
│   ╰── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
├─┬ react@17.0.2 (3 deps, 310.06kb, 35 files)
│ ├─┬ loose-envify@1.4.0 (1 dep, 20.39kb, 13 files)
│ │ ╰── js-tokens@4.0.0 (14.72kb, 5 files)
│ ╰── object-assign@4.1.1 (5.36kb, 4 files)
├─┬ react-contexify@5.0.0 (1 dep, 250.54kb, 64 files)
│ ╰── clsx@1.1.1 (6.13kb, 7 files)
├─┬ react-dom@17.0.2 (4 deps, 2.98mb, 69 files)
│ ├─┬ loose-envify@1.4.0 (1 dep, 20.39kb, 13 files)
│ │ ╰── js-tokens@4.0.0 (14.72kb, 5 files)
│ ├── object-assign@4.1.1 (5.36kb, 4 files)
│ ╰─┬ scheduler@0.20.2 (3 deps, 136.26kb, 43 files)
│   ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│   ╰── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
├─┬ react-draggable@4.4.5 (6 deps, 420.03kb, 69 files)
│ ├── clsx@1.1.1 (6.13kb, 7 files)
│ ╰─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│   ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│   ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│   ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
├─┬ react-h5-audio-player@3.8.4 (4 deps, 8.78mb, 24830 files)
│ ├─┬ @babel/runtime@7.17.9 (1 dep, 195.31kb, 196 files)
│ │ ╰── regenerator-runtime@0.13.9 (26.76kb, 5 files)
│ ├── @iconify/icons-mdi@1.1.47 (7.56mb, 24568 files)
│ ╰── @iconify/react@3.2.1 (189.37kb, 11 files)
├── react-intersection-observer@8.34.0 (200.56kb, 17 files)
├─┬ react-mentions@4.3.2 (11 deps, 785.56kb, 465 files)
│ ├─┬ @babel/runtime@7.4.5 (1 dep, 110.79kb, 149 files)
│ │ ╰── regenerator-runtime@0.13.9 (26.76kb, 5 files)
│ ├─┬ invariant@2.2.4 (2 deps, 27.85kb, 20 files)
│ │ ╰── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│ ├─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│ │ ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│ │ ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│ │ ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ ╰─┬ substyle@9.4.1 (5 deps, 302.72kb, 284 files)
│   ├── @babel/runtime@7.17.9 (🔗, 1 dep, 195.31kb, 196 files)
│   ╰── invariant@2.2.4 (🔗, 2 deps, 27.85kb, 20 files)
├─┬ react-portal@4.2.2 (5 deps, 179.75kb, 54 files)
│ ╰─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│   ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│   ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│   ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
├─┬ react-qr-svg@2.4.0 (6 deps, 182.98kb, 62 files)
│ ├─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│ │ ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│ │ ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│ │ ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ ╰── qr.js@0.0.0 (29.06kb, 16 files)
├─┬ react-redux@7.2.1 (10 deps, 663.89kb, 342 files)
│ ├─┬ @babel/runtime@7.17.9 (1 dep, 195.31kb, 196 files)
│ │ ╰── regenerator-runtime@0.13.9 (26.76kb, 5 files)
│ ├─┬ hoist-non-react-statics@3.3.2 (1 dep, 61.34kb, 17 files)
│ │ ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ ├─┬ loose-envify@1.4.0 (1 dep, 20.39kb, 13 files)
│ │ ╰── js-tokens@4.0.0 (14.72kb, 5 files)
│ ├─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│ │ ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│ │ ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│ │ ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ ╰── react-is@16.13.1 (23.39kb, 9 files)
├─┬ react-toastify@6.2.0 (12 deps, 2.28mb, 635 files)
│ ├── clsx@1.1.1 (6.13kb, 7 files)
│ ├─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│ │ ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│ │ ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│ │ ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ ╰─┬ react-transition-group@4.4.2 (9 deps, 1.82mb, 557 files)
│   ├── @babel/runtime@7.17.9 (🔗, 1 dep, 195.31kb, 196 files)
│   ├── dom-helpers@5.2.1 (🔗, 3 deps, 1.46mb, 485 files)
│   ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│   ╰── prop-types@15.8.1 (🔗, 4 deps, 141.47kb, 38 files)
├─┬ react-use@17.3.2 (37 deps, 7.76mb, 1463 files)
│ ├── @types/js-cookie@2.2.7 (7.2kb, 4 files)
│ ├── @xobotyi/scrollbar-width@1.9.5 (18.18kb, 9 files)
│ ├─┬ copy-to-clipboard@3.3.1 (1 dep, 86.25kb, 16 files)
│ │ ╰── toggle-selection@1.0.6 (3.24kb, 6 files)
│ ├── fast-deep-equal@3.1.3 (12.66kb, 11 files)
│ ├── fast-shallow-equal@1.0.0 (3.28kb, 6 files)
│ ├── js-cookie@2.2.1 (26.97kb, 6 files)
│ ├─┬ nano-css@5.3.4 (22 deps, 6.79mb, 806 files)
│ │ ├─┬ css-tree@1.1.3 (2 deps, 2.25mb, 166 files)
│ │ │ ├── mdn-data@2.0.14 (548.62kb, 23 files)
│ │ │ ╰── source-map@0.6.1 (786.35kb, 20 files)
│ │ ├── csstype@3.0.11 (1.14mb, 5 files)
│ │ ├── fastest-stable-stringify@2.0.2 (15.35kb, 16 files)
│ │ ├─┬ inline-style-prefixer@6.0.1 (3 deps, 119.71kb, 99 files)
│ │ │ ╰─┬ css-in-js-utils@2.0.1 (2 deps, 41.6kb, 38 files)
│ │ │   ├── hyphenate-style-name@1.0.4 (4.6kb, 5 files)
│ │ │   ╰── isobject@3.0.1 (6.77kb, 5 files)
│ │ ├─┬ rtl-css-js@1.15.0 (2 deps, 454.97kb, 218 files)
│ │ │ ╰── @babel/runtime@7.17.9 (🔗, 1 dep, 195.31kb, 196 files)
│ │ ├── sourcemap-codec@1.4.8 (31.06kb, 9 files)
│ │ ├─┬ stacktrace-js@2.0.2 (7 deps, 2.43mb, 116 files)
│ │ │ ├─┬ error-stack-parser@2.0.7 (1 dep, 68.56kb, 26 files)
│ │ │ │ ╰── stackframe@1.2.1 (32.45kb, 17 files)
│ │ │ ├─┬ stack-generator@2.0.5 (1 dep, 53.27kb, 31 files)
│ │ │ │ ╰── stackframe@1.2.1 (32.45kb, 17 files)
│ │ │ ╰─┬ stacktrace-gps@3.0.4 (2 deps, 932.09kb, 47 files)
│ │ │   ├── source-map@0.5.6 (738.38kb, 19 files)
│ │ │   ╰── stackframe@1.2.1 (32.45kb, 17 files)
│ │ ╰── stylis@4.1.1 (129.78kb, 16 files)
│ ├── react-universal-interface@0.6.2 (30.62kb, 32 files)
│ ├── resize-observer-polyfill@1.5.1 (143.87kb, 23 files)
│ ├── screenfull@5.2.0 (17.7kb, 5 files)
│ ├── set-harmonic-interval@1.0.1 (9.22kb, 8 files)
│ ├── throttle-debounce@3.0.1 (66.54kb, 13 files)
│ ├── ts-easing@0.2.0 (6.37kb, 5 files)
│ ╰── tslib@2.4.0 (48.8kb, 11 files)
├─┬ react-virtualized@9.22.3 (15 deps, 4.01mb, 1040 files)
│ ├─┬ @babel/runtime@7.17.9 (1 dep, 195.31kb, 196 files)
│ │ ╰── regenerator-runtime@0.13.9 (26.76kb, 5 files)
│ ├── clsx@1.1.1 (6.13kb, 7 files)
│ ├─┬ dom-helpers@5.2.1 (3 deps, 1.46mb, 485 files)
│ │ ├── @babel/runtime@7.17.9 (🔗, 1 dep, 195.31kb, 196 files)
│ │ ╰── csstype@3.0.11 (1.14mb, 5 files)
│ ├─┬ loose-envify@1.4.0 (1 dep, 20.39kb, 13 files)
│ │ ╰── js-tokens@4.0.0 (14.72kb, 5 files)
│ ├─┬ prop-types@15.8.1 (4 deps, 141.47kb, 38 files)
│ │ ├── loose-envify@1.4.0 (🔗, 1 dep, 20.39kb, 13 files)
│ │ ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│ │ ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ ╰── react-lifecycles-compat@3.0.4 (28.34kb, 8 files)
├─┬ read-last-lines@1.3.0 (23 deps, 376.19kb, 194 files)
│ ╰─┬ fs-promise@0.5.0 (22 deps, 368.49kb, 187 files)
│   ├── any-promise@1.3.0 (21.67kb, 34 files)
│   ├─┬ fs-extra@0.26.7 (16 deps, 306.62kb, 117 files)
│   │ ├── graceful-fs@4.2.10 (🔗, 31.71kb, 7 files)
│   │ ├─┬ jsonfile@2.4.0 (1 dep, 48.28kb, 14 files)
│   │ │ ╰── graceful-fs@4.2.10 (🔗, 31.71kb, 7 files)
│   │ ├─┬ klaw@1.3.1 (1 dep, 44.03kb, 14 files)
│   │ │ ╰── graceful-fs@4.2.10 (🔗, 31.71kb, 7 files)
│   │ ├── path-is-absolute@1.0.1 (🔗, 3.53kb, 4 files)
│   │ ╰── rimraf@2.6.2 (🔗, 12 deps, 159.25kb, 62 files)
│   ├─┬ mz@2.7.0 (4 deps, 50.75kb, 59 files)
│   │ ├── any-promise@1.3.0 (🔗, 21.67kb, 34 files)
│   │ ├── object-assign@4.1.1 (🔗, 5.36kb, 4 files)
│   │ ╰── thenify-all@1.6.0 (🔗, 2 deps, 35.84kb, 44 files)
│   ╰─┬ thenify-all@1.6.0 (2 deps, 35.84kb, 44 files)
│     ╰─┬ thenify@3.3.1 (1 dep, 29.41kb, 39 files)
│       ╰── any-promise@1.3.0 (🔗, 21.67kb, 34 files)
├─┬ redux@4.0.1 (3 deps, 181.31kb, 42 files)
│ ├─┬ loose-envify@1.4.0 (1 dep, 20.39kb, 13 files)
│ │ ╰── js-tokens@4.0.0 (14.72kb, 5 files)
│ ╰── symbol-observable@1.2.0 (9.96kb, 10 files)
├─┬ redux-logger@3.0.6 (1 dep, 136.92kb, 30 files)
│ ╰── deep-diff@0.3.8 (103.39kb, 21 files)
├── redux-persist@6.0.0 (408.06kb, 133 files)
├── redux-promise-middleware@6.1.2 (56.4kb, 14 files)
├── reselect@4.0.0 (167.48kb, 11 files)
├─┬ rimraf@2.6.2 (12 deps, 159.25kb, 62 files)
│ ╰── glob@7.1.2 (🔗, 11 deps, 144.5kb, 57 files)
├── sanitize.css@12.0.1 (48.07kb, 12 files)
├── semver@5.4.1 (53.87kb, 6 files)
├─┬ styled-components@5.1.1 (48 deps, 7.61mb, 1708 files)
│ ├─┬ @babel/helper-module-imports@7.16.7 (3 deps, 1.02mb, 118 files)
│ │ ╰─┬ @babel/types@7.17.10 (2 deps, 1.01mb, 111 files)
│ │   ├── @babel/helper-validator-identifier@7.16.7 (18.6kb, 7 files)
│ │   ╰── to-fast-properties@2.0.0 (3.41kb, 4 files)
│ ├─┬ @babel/traverse@7.17.10 (27 deps, 3.42mb, 304 files)
│ │ ├─┬ @babel/code-frame@7.16.7 (10 deps, 127.95kb, 58 files)
│ │ │ ╰─┬ @babel/highlight@7.17.9 (9 deps, 121.15kb, 54 files)
│ │ │   ├── @babel/helper-validator-identifier@7.16.7 (🔗, 18.6kb, 7 files)
│ │ │   ├─┬ chalk@2.4.2 (6 deps, 83.07kb, 38 files)
│ │ │   │ ├─┬ ansi-styles@3.2.1 (2 deps, 44.62kb, 18 files)
│ │ │   │ │ ╰── color-convert@1.9.3 (🔗, 1 dep, 35.47kb, 14 files)
│ │ │   │ ├── escape-string-regexp@1.0.5 (🔗, 2.63kb, 4 files)
│ │ │   │ ╰── supports-color@5.5.0 (🔗, 1 dep, 9.53kb, 9 files)
│ │ │   ╰── js-tokens@4.0.0 (🔗, 14.72kb, 5 files)
│ │ ├─┬ @babel/generator@7.17.10 (7 deps, 1.25mb, 165 files)
│ │ │ ├── @babel/types@7.17.10 (🔗, 2 deps, 1.01mb, 111 files)
│ │ │ ├─┬ @jridgewell/gen-mapping@0.1.1 (2 deps, 98.29kb, 26 files)
│ │ │ │ ├── @jridgewell/set-array@1.1.1 (13.45kb, 8 files)
│ │ │ │ ╰── @jridgewell/sourcemap-codec@1.4.13 (33.72kb, 8 files)
│ │ │ ╰── jsesc@2.5.2 (31.22kb, 6 files)
│ │ ├─┬ @babel/helper-environment-visitor@7.16.7 (3 deps, 1.01mb, 115 files)
│ │ │ ╰── @babel/types@7.17.10 (🔗, 2 deps, 1.01mb, 111 files)
│ │ ├─┬ @babel/helper-function-name@7.17.9 (15 deps, 2.94mb, 185 files)
│ │ │ ├─┬ @babel/template@7.16.7 (14 deps, 2.93mb, 181 files)
│ │ │ │ ├── @babel/code-frame@7.16.7 (🔗, 10 deps, 127.95kb, 58 files)
│ │ │ │ ├── @babel/parser@7.17.10 (🔗, 1.8mb, 8 files)
│ │ │ │ ╰── @babel/types@7.17.10 (🔗, 2 deps, 1.01mb, 111 files)
│ │ │ ╰── @babel/types@7.17.10 (🔗, 2 deps, 1.01mb, 111 files)
│ │ ├─┬ @babel/helper-hoist-variables@7.16.7 (3 deps, 1.01mb, 115 files)
│ │ │ ╰── @babel/types@7.17.10 (🔗, 2 deps, 1.01mb, 111 files)
│ │ ├─┬ @babel/helper-split-export-declaration@7.16.7 (3 deps, 1.01mb, 115 files)
│ │ │ ╰── @babel/types@7.17.10 (🔗, 2 deps, 1.01mb, 111 files)
│ │ ├── @babel/parser@7.17.10 (1.8mb, 8 files)
│ │ ├─┬ @babel/types@7.17.10 (2 deps, 1.01mb, 111 files)
│ │ │ ├── @babel/helper-validator-identifier@7.16.7 (18.6kb, 7 files)
│ │ │ ╰── to-fast-properties@2.0.0 (3.41kb, 4 files)
│ │ ├── debug@4.3.4 (🔗, 1 dep, 48.04kb, 11 files)
│ │ ╰── globals@11.12.0 (38.85kb, 5 files)
│ ├─┬ @emotion/is-prop-valid@0.8.8 (1 dep, 43.39kb, 32 files)
│ │ ╰── @emotion/memoize@0.7.4 (5.28kb, 15 files)
│ ├── @emotion/stylis@0.8.5 (102.36kb, 17 files)
│ ├── @emotion/unitless@0.7.5 (8.06kb, 12 files)
│ ├─┬ babel-plugin-styled-components@2.0.7 (11 deps, 3.5mb, 1326 files)
│ │ ├─┬ @babel/helper-annotate-as-pure@7.16.7 (3 deps, 1.01mb, 115 files)
│ │ │ ╰── @babel/types@7.17.10 (🔗, 2 deps, 1.01mb, 111 files)
│ │ ├── @babel/helper-module-imports@7.16.7 (🔗, 3 deps, 1.02mb, 118 files)
│ │ ├── babel-plugin-syntax-jsx@6.18.0 (969b, 4 files)
│ │ ├── lodash@4.17.21 (🔗, 1.35mb, 1054 files)
│ │ ╰── picomatch@2.3.1 (87.84kb, 10 files)
│ ├─┬ css-to-react-native@3.0.0 (3 deps, 124.13kb, 65 files)
│ │ ├── camelize@1.0.0 (5.53kb, 7 files)
│ │ ├── css-color-keywords@1.0.0 (6.33kb, 5 files)
│ │ ╰── postcss-value-parser@4.2.0 (26.56kb, 9 files)
│ ├─┬ hoist-non-react-statics@3.3.2 (1 dep, 61.34kb, 17 files)
│ │ ╰── react-is@16.13.1 (🔗, 23.39kb, 9 files)
│ ├── shallowequal@1.1.0 (7.17kb, 6 files)
│ ╰─┬ supports-color@5.5.0 (1 dep, 9.53kb, 9 files)
│   ╰── has-flag@3.0.0 (3.05kb, 4 files)
╰── uuid@3.3.2 (42.58kb, 21 files
adrelanos commented 2 years ago

Why this might matter in practice, see separate ticket: security: NPM found 91 vulnerabilities #2322

(Which are are known vulnerabilities, not deliberate, explicit, direct backdoors such as the copay backdoor.)

KeeJef commented 1 year ago

We don't use npm in Session desktop, we use Yarn, so "Yarn audit" would be the correct command to run, generally we try to apply fixes to critical issues as they arise, however not every automatically flagged vulnerability will actually be an exploitable vulnerability in Session. So reports like this are often not indicative of actual security in Session.

Bilb commented 1 year ago

In addition to Kee's comment:

On Session desktop, we pin the versions of the packages we are using in the yarn.lock file. Which means that we won't automatically pickup an update from the npm registry of a dependency we rely on.

Looking at that thread you posted, it is about the package flatmap-stream which is not used on desktop (yarn list |grep flatmap returns nothing). But still, because we pin the dependencies to their exact versions and only upgrade them from time to time, by the time we do upgrade them something like that would have most likely been found out.

So for instance, if we somehow used the event-stream package which is the one which got hacked here, we'd have in the yarn.lock file something like event-stream:2.0.1. When the event-stream gets hacked and the dependency to flatmap-stream gets added, they need to publish a new release for it to be available to everyone. Let's name it event-stream:2.0.2. Because our yarn.lock is hardcoded to event-stream:2.0.1, the version 2.0.2 of the package won't be installed. We'd have to specifically upgrade it to get the change, which by the time we do it would most likely be removed already.

I hope this helps