Suspicious dependency on the "4" package in ts-unused-exports 8.0.1 as published to NPM
jstasiak opened this issue · comments
Hey!
I noticed that when we tried to upgrade ts-unused-exports from 8.0.0 to 8.0.1 a new dependency has been introduced there. The name of the dependency is 4 and it's visible here: https://www.npmjs.com/package/ts-unused-exports/v/8.0.1?activeTab=dependencies. It wasn't there in 8.0.0: https://www.npmjs.com/package/ts-unused-exports/v/8.0.0?activeTab=dependencies
What got me worried is there's no reference to that dependency in package.json on GH (https://github.com/pzavolinsky/ts-unused-exports/blob/bad085c96317d30463433db1af2b55636f95fcb5/package.json) and the 4 package (https://www.npmjs.com/package/4) just seems strange – very old, no readme, the version is 0.0.0 etc.
Should the dependency on 4 actually be there or is this an error somewhere?
Thanks for the report, this is not intentional, I'm unpublishing the version, pending some review.
NPM is not allowing me to unpublish that version so I manually published 8.0.2, no extraneous dependency.
We've been experimenting with CD via GH Actions and (without more info) I need to assume something weird is going on there. I'm disabling CD from the time being, until we can run a proper investigation.
Thanks again @jstasiak for the report, this was super useful and timely.
cc: @mrseanryan
btw, version 8.0.1 has been unpublished (npm just takes a while to update on their side)
Still unclear where did this came from, but this is what I can see so far (as to assess impact):
$ docker run --rm -ti node:16.13.2-slim sh
# bash
root@9adfdad8e109:/# mkdir m4
root@9adfdad8e109:/# cd m4
root@9adfdad8e109:/m4# echo '{}' > package.json
root@9adfdad8e109:/m4# npm i 4
added 1 package, and audited 2 packages in 3s
found 0 vulnerabilities
npm notice
npm notice New major version of npm available! 8.1.2 -> 9.1.3
npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.1.3
npm notice Run npm install -g npm@9.1.3 to update!
npm notice
root@9adfdad8e109:/m4# ls
node_modules package-lock.json package.json
root@9adfdad8e109:/m4# cat package-lock.json
{
"name": "m4",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"dependencies": {
"4": "^0.0.0"
}
},
"node_modules/4": {
"version": "0.0.0",
"resolved": "https://registry.npmjs.org/4/-/4-0.0.0.tgz",
"integrity": "sha512-JWaJnETbU+8EfG4hPw1PFwEHsd7Fjlp0oNRYUYynn8t54P0459HAUiu1jgOnvgOYMZH9YnhfT+bgqcazmbMF5Q=="
}
},
"dependencies": {
"4": {
"version": "0.0.0",
"resolved": "https://registry.npmjs.org/4/-/4-0.0.0.tgz",
"integrity": "sha512-JWaJnETbU+8EfG4hPw1PFwEHsd7Fjlp0oNRYUYynn8t54P0459HAUiu1jgOnvgOYMZH9YnhfT+bgqcazmbMF5Q=="
}
}
}
root@9adfdad8e109:/m4# cd node_modules/4/
root@9adfdad8e109:/m4/node_modules/4# ls
index.js package.json
root@9adfdad8e109:/m4/node_modules/4# cat index.js
root@9adfdad8e109:/m4/node_modules/4# cat package.json
{
"name": "4",
"version": "0.0.0",
"description": "WOOHOO! I GOT 4!",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}
root@9adfdad8e109:/m4/node_modules/4#
Nice, thank you for reacting to this so quickly and for all the work on this library!
As to how this could've happened: I suspect a line like this was executed somewhere in the publishing pipeline at some point, just without --development (?):
- run: npm install --development ${{ matrix.typescript-version }}
where typescript-version is 3 or 4
I'm happy with the status quo so I'll close the issue. Once again thank you for resolving this
update:
1 - there was a bug in the workflows, where typescript@ was missing - so it was trying to install bogus package like 3 or 4 (!)
2 - the deploy workflow was using Node 16 which has a newer version of npm, that involves rewriting package-lock.json to version 2
fixed:
1 - typescript package is mentioned
2 - deploy uses Node 14 (at least until we agree to upgrade to package-lock.json, which may break for older projects... ?)