[BUG] CVE-2022-23812: YOUR CODE IS INFECTED WITH MALICIOUS DEPENDENCY - node-ipc

twilio / flex-plugin-builder

Packages related to building a Twilio Flex Plugin

https://www.twilio.com/docs/flex/developer/plugins/cli

MIT License

83 stars 56 forks source link

[BUG] CVE-2022-23812: YOUR CODE IS INFECTED WITH MALICIOUS DEPENDENCY - node-ipc #688

Closed lgg closed 2 years ago

lgg commented 2 years ago

Newest version of node-ipc delete all users's files from device. You should not use this dependency anymore!

You can learn more here: https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c

Check possible solution that already applied in vue.js: https://github.com/vuejs/vue-cli/issues/7054#issuecomment-1068677029

also check more here: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

ktalebian commented 2 years ago

Thank you for bringing this to our attention - it looks like version v9.2.2 added this. I will make a PR to pin the current version to a lower version while we work on an alternative to this module.

ktalebian commented 2 years ago

We have a patch released to pin the version of node-ipc to a version that does not have this vulnerability.