← Back to context Comment by patates 3 months ago aren't these already nuked and show up in the "npm audit" command? 3 comments patates Reply epmatsw 3 months ago Annoyingly, npm audit relies on github's advisory DB, which is currently incorrectly flagging all versions of these packages, not just the compromised ones.https://github.com/github/advisory-database/issues/6098 brycewray 3 months ago “Anatomy of a Billion-Download NPM Supply-Chain Attack”[0] suggests adding this to `package.json` for now... "overrides": { "chalk": "5.3.0", "strip-ansi": "7.1.0", "color-convert": "2.0.1", "color-name": "1.1.4", "is-core-module": "2.13.1", "error-ex": "1.3.2", "has-ansi": "5.0.1" } EDIT: This comment[1] suggests `npm audit` issue has now been resolved.[0] https://jdstaerk.substack.com/i/173095305/how-to-protect-you...[1] https://github.com/chalk/chalk/issues/656#issuecomment-32676... martypitt 3 months ago Nice - that's even better - thanks! TIL.
epmatsw 3 months ago Annoyingly, npm audit relies on github's advisory DB, which is currently incorrectly flagging all versions of these packages, not just the compromised ones.https://github.com/github/advisory-database/issues/6098 brycewray 3 months ago “Anatomy of a Billion-Download NPM Supply-Chain Attack”[0] suggests adding this to `package.json` for now... "overrides": { "chalk": "5.3.0", "strip-ansi": "7.1.0", "color-convert": "2.0.1", "color-name": "1.1.4", "is-core-module": "2.13.1", "error-ex": "1.3.2", "has-ansi": "5.0.1" } EDIT: This comment[1] suggests `npm audit` issue has now been resolved.[0] https://jdstaerk.substack.com/i/173095305/how-to-protect-you...[1] https://github.com/chalk/chalk/issues/656#issuecomment-32676...
brycewray 3 months ago “Anatomy of a Billion-Download NPM Supply-Chain Attack”[0] suggests adding this to `package.json` for now... "overrides": { "chalk": "5.3.0", "strip-ansi": "7.1.0", "color-convert": "2.0.1", "color-name": "1.1.4", "is-core-module": "2.13.1", "error-ex": "1.3.2", "has-ansi": "5.0.1" } EDIT: This comment[1] suggests `npm audit` issue has now been resolved.[0] https://jdstaerk.substack.com/i/173095305/how-to-protect-you...[1] https://github.com/chalk/chalk/issues/656#issuecomment-32676...
Annoyingly, npm audit relies on github's advisory DB, which is currently incorrectly flagging all versions of these packages, not just the compromised ones.
https://github.com/github/advisory-database/issues/6098
“Anatomy of a Billion-Download NPM Supply-Chain Attack”[0] suggests adding this to `package.json` for now...
EDIT: This comment[1] suggests `npm audit` issue has now been resolved.
[0] https://jdstaerk.substack.com/i/173095305/how-to-protect-you...
[1] https://github.com/chalk/chalk/issues/656#issuecomment-32676...
Nice - that's even better - thanks! TIL.