Stream: t-compiler/wg-rls-2.0

Topic: Yet another security allert from npm


matklad (May 04 2019 at 15:06, on Zulip):

Does anyone know what https://github.com/rust-analyzer/rust-analyzer/network/alert/code/package-lock.json/tar/open means?

matklad (May 04 2019 at 15:06, on Zulip):

pasted image

matklad (May 04 2019 at 15:06, on Zulip):

We don't have tar anywhere?

matklad (May 04 2019 at 15:06, on Zulip):

https://github.com/rust-analyzer/rust-analyzer/search?utf8=%E2%9C%93&q=tar&type=

detrumi (May 04 2019 at 15:11, on Zulip):

Maybe some js tool uses tar somewhere?

detrumi (May 04 2019 at 15:12, on Zulip):

npm itself depends on tar, so that might be it even

Florian Diebold (May 04 2019 at 15:38, on Zulip):

it's talking about code/package-lock.json which isn't the current path, so maybe it's referring to some old branch

Florian Diebold (May 04 2019 at 15:40, on Zulip):

hm no, I can't find any branch where that's the path

Florian Diebold (May 04 2019 at 15:40, on Zulip):

and it's actually pointing at the path in master, which results in a 404 :thinking:

matklad (May 04 2019 at 15:46, on Zulip):

pruned old branches just in case

matklad (May 05 2019 at 08:13, on Zulip):

just squashed the alert manually :c

Last update: Nov 12 2019 at 16:05UTC