zhuangya
commented
2 years ago so i publish a package with only purpose of notice just now, also, i'd like to transfer y-websocket-server to you. just let me know :)
Closed zhuangya closed 2 years ago
zhuangya
commented
2 years ago so i publish a package with only purpose of notice just now, also, i'd like to transfer y-websocket-server to you. just let me know :)
dmonad
commented
2 years ago Right, thank you!
Also, thank you for ensuring that no one abuses this bug.
I'd appreciate it if you'd transfer ownership to me. My username on npm is dmonad as well.
zhuangya
commented
2 years ago @dmonad npm invitation sent, if you need anything else, feel free to ping me here :)
dmonad
commented
2 years ago Got it, thank you so much!
according to the doc, npx needs package name rather than the binary name. so executing
npx y-websocket-serverwould not download and run the server binary iny-websocket, it would download from y-websocket-server instead, which could lead to remote arbitrage code execution.Huly®: YJS-761