The package has been removed from npm

[sbaechler]

When I try to install "zalando-tech-radar": "^2022.5.0", npm only installs a placeholder with the following message:

Security holding package

This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.

Please refer to www.npmjs.com/advisories?search=zalando-tech-radar for more information.

Unfortunately there is no information under this link.

So is there a security issue with tech-radar? The code is quite simple and easy to review.

[bocytko]

Thanks for your question. We never provided any official npm packages published from this repository, so this must have been a malicious package.

The README.md instructions also do not mention any npm packages being required for installation. Where did you find instructions asking you to perform installation and what's the exact command you used? The npm dependencies are used for local development only to provide a server with auto-reload functionality.

Hosting the tech radar happens via a static HTML and simple script using ds.js for visualization of data from the HTML file, which is fully under control at build time.

[sbaechler]

Ok, thanks for the explanation. Since there was a package.json I assumed it was on npm.

Maybe add "private": true to your package.json to make it clear that is it not published. Or just publish it.

I first thought about using it as a dependency since I needed to preprocess the JSON but then ended up just copying the script.

[benbariteau]

It would be nice to have this as a proper npm package so it can be used in concert with other npm packages instead of just being copied into whatever project uses this.