Closed zhuangya closed 2 years ago
so i publish a package with only purpose of notice just now, also, i'd like to transfer y-websocket-server
to you. just let me know :)
Right, thank you!
Also, thank you for ensuring that no one abuses this bug.
I'd appreciate it if you'd transfer ownership to me. My username on npm is dmonad
as well.
@dmonad npm invitation sent, if you need anything else, feel free to ping me here :)
Got it, thank you so much!
according to the doc, npx needs package name rather than the binary name. so executing
npx y-websocket-server
would not download and run the server binary iny-websocket
, it would download from y-websocket-server instead, which could lead to remote arbitrage code execution.Huly®: YJS-761