Daniel Cassidy djcsdy

npm scripts security flaw

I reported a security flaw to npm on 13 April 2024. The security flaw itself is not particularly serious, and as far as I know has never been exploited, but the underlying problem does manifest quite often in the wild as extremely unexpected behaviour when developers install packages using very recent versions of npm, or release packages using any npm-compatible tools.

When I reported this, npm didn't provide a particularly satisfactory response or pay me a bounty, and I think three months is plenty of time for them to have fixed the problem, so I'm documenting it here. Since this problem does come up in the wild fairly often, I want to be able to point developers to a page that explains what's going on.

I haven't checked if npm have done anything to fix or mitigate this problem, but from reports from other developers it appears that they have not. The npm repository itself is affected, and potentially any tools that consume packages from the npm repository are also affected.

In the Unity editor:

Edit -> Project Settings -> Editor
In the inspector panel, set:
Version Control -> Mode: Visible Meta Files
Asset Serialization -> Mode: Force Text

“Visible Meta Files” causes Unity to place .meta files next to each of your assets. It’s important to check these files into version control because they contain the settings associated with those assets that you set in the Unity editor.

“Asset Serialization: Force Text” causes Unity to write its .meta and other files in a more-or-less human-readable text format, which makes it a lot easier to understand what has changed when you look at version control logs. Also it’s feasible to merge these text files by hand, whereas it’s not really possible to do that with Unity’s default binary file format.

	Notification.requestPermission()
	.then(() => new Notification("Welcome to ecco", {
	body: "This is some body text"
	}));

	// See: https://developer.mozilla.org/en-US/docs/Web/API/Notification/Notification

	type Branded<T, U extends string> = T & { [Symbol.species]: U };
	// if targeting ES5, change to:
	// type Branded<T, U> = T & { ['Brand']: U };

	// FOO
	type FooId = Branded<number, 'FooId'>;

	// BAR
	type BarId = Branded<number, 'BarId'>;

	class Base { }

	class A extends Base { }

	class B extends Base { }

	interface Constructor<T> {
	new(): T;
	}

	-- Adapted from
	-- https://www.haskell.org/haskellwiki/Generic_number_type#squareRoot
	floorSqrt :: Integer -> Integer
	floorSqrt 0 = 0
	floorSqrt 1 = 1
	floorSqrt n =
	let powers = iterate (^2) 2
	(lowerRoot, lowerN) =
	last $ takeWhile ((n>=) . snd) $ zip (1:powers) powers
	newtonStep x = (x + (n `div` x)) `div` 2

	Clockless unidirectional serial link between a Raspberry Pi and Arduino.

	Inspired by every Commodore 64 disk fastloader ever :).

	Motivation: I want to send commands from a Raspberry Pi to an Adafruit
	Gemma (a tiny Arduino-compatible). Gemma only has three GPIO pins, and one
	of them is in use to make LEDs glow pretty colours. I don’t want to have
	to worry about tricky timing constraints.

	Gemma signals at 3.3V, which is the same level as the Pi. Most other

	From c896dae0a938b522bd82c8a06e46aaff6670fe71 Mon Sep 17 00:00:00 2001
	From: Daniel Cassidy <[email protected]>
	Date: Wed, 28 Aug 2013 17:21:05 +0100
	Subject: [PATCH] [MTOMCAT-236] Upgrade selenium-server to 2.35.0 in
	tomcat-maven-archetype.

	This fixes an incompatibility between Selenium and Firefox 22 and later.
	---
	.../resources/archetype-resources/__rootArtifactId__-webapp-it/pom.xml \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	function lessThan(a:Number, b:Number):Boolean {
	return a < b;
	}

	function greaterThan(a:Number, b:Number):Boolean {
	return a > b;
	}

	var comparator:Function = lessThan;