Skip to content

Instantly share code, notes, and snippets.

npm scripts security flaw

I reported a security flaw to npm on 13 April 2024. The security flaw itself is not particularly serious, and as far as I know has never been exploited, but the underlying problem does manifest quite often in the wild as extremely unexpected behaviour when developers install packages using very recent versions of npm, or release packages using any npm-compatible tools.

When I reported this, npm didn't provide a particularly satisfactory response or pay me a bounty, and I think three months is plenty of time for them to have fixed the problem, so I'm documenting it here. Since this problem does come up in the wild fairly often, I want to be able to point developers to a page that explains what's going on.

I haven't checked if npm have done anything to fix or mitigate this problem, but from reports from other developers it appears that they have not. The npm repository itself is affected, and potentially any tools that consume packages from the npm repository are also affected.

Notification.requestPermission()
.then(() => new Notification("Welcome to ecco", {
body: "This is some body text"
}));
// See: https://developer.mozilla.org/en-US/docs/Web/API/Notification/Notification
type Branded<T, U extends string> = T & { [Symbol.species]: U };
// if targeting ES5, change to:
// type Branded<T, U> = T & { ['Brand']: U };
// FOO
type FooId = Branded<number, 'FooId'>;
// BAR
type BarId = Branded<number, 'BarId'>;
@djcsdy
djcsdy / Unity with source control.md
Last active October 5, 2024 13:46
Unity with source control

In the Unity editor:

  1. Edit -> Project Settings -> Editor
  2. In the inspector panel, set:
  3. Version Control -> Mode: Visible Meta Files
  4. Asset Serialization -> Mode: Force Text

“Visible Meta Files” causes Unity to place .meta files next to each of your assets. It’s important to check these files into version control because they contain the settings associated with those assets that you set in the Unity editor.

“Asset Serialization: Force Text” causes Unity to write its .meta and other files in a more-or-less human-readable text format, which makes it a lot easier to understand what has changed when you look at version control logs. Also it’s feasible to merge these text files by hand, whereas it’s not really possible to do that with Unity’s default binary file format.

class Base { }
class A extends Base { }
class B extends Base { }
interface Constructor<T> {
new(): T;
}
-- Adapted from
-- https://www.haskell.org/haskellwiki/Generic_number_type#squareRoot
floorSqrt :: Integer -> Integer
floorSqrt 0 = 0
floorSqrt 1 = 1
floorSqrt n =
let powers = iterate (^2) 2
(lowerRoot, lowerN) =
last $ takeWhile ((n>=) . snd) $ zip (1:powers) powers
newtonStep x = (x + (n `div` x)) `div` 2
@djcsdy
djcsdy / serial link.txt
Created August 2, 2014 02:11
Clockless unidirectional serial link between a Raspberry Pi and Arduino.
From c896dae0a938b522bd82c8a06e46aaff6670fe71 Mon Sep 17 00:00:00 2001
From: Daniel Cassidy <[email protected]>
Date: Wed, 28 Aug 2013 17:21:05 +0100
Subject: [PATCH] [MTOMCAT-236] Upgrade selenium-server to 2.35.0 in
tomcat-maven-archetype.
This fixes an incompatibility between Selenium and Firefox 22 and later.
---
.../resources/archetype-resources/__rootArtifactId__-webapp-it/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
function lessThan(a:Number, b:Number):Boolean {
return a < b;
}
function greaterThan(a:Number, b:Number):Boolean {
return a > b;
}
var comparator:Function = lessThan;
@djcsdy
djcsdy / decimalize.js
Created December 3, 2012 03:15
Convert hex values on a web page to decimal
function fix (node) { while (node) { if (node.nodeType == 3) { node.nodeValue = node.nodeValue.replace(/\$((?:[0-9a-fA-F]{2}){1,2})/g, function (match, value) { return parseInt(value, 16); }); } else { fix(node.firstChild); } node = node.nextSibling; } } fix(document)