An gano wani mugun canji a cikin fakitin NPM node-ipc (CVE-2022-23812), tare da yuwuwar 25% cewa abubuwan da ke cikin duk fayilolin da ke da damar rubutawa ana maye gurbinsu da halayen "❤️". Ana kunna lambar ƙeta ne kawai lokacin da aka ƙaddamar akan tsarin tare da adiresoshin IP daga Rasha ko Belarus. Kunshin node-ipc yana da kusan abubuwan zazzagewa miliyan guda kowane mako kuma ana amfani dashi azaman dogaro akan fakiti 354, gami da vue-cli. Duk ayyukan da ke da node-ipc a matsayin abin dogaro kuma matsalar ta shafe su.
An buga lambar ƙeta zuwa ma'ajiyar NPM a matsayin wani ɓangare na node-ipc 10.1.1 da 10.1.2. An buga wani mugun canji a wurin ajiyar Git na aikin a madadin marubucin aikin kwanaki 11 da suka gabata. An ƙayyade ƙasar a cikin lambar ta kiran sabis na api.ipgeolocation.io. Maɓallin da aka isa ga igeolocation.io API daga ƙetaren ɓarna yanzu an soke shi.
A cikin sharhin da aka yi wa gargaɗin game da bayyanar code mai ban sha'awa, marubucin aikin ya bayyana cewa canjin ya kasance don ƙara fayil zuwa tebur wanda ke nuna sakon kira ga zaman lafiya. A haƙiƙa, lambar ta gudanar da binciken kundayen adireshi akai-akai tare da ƙoƙarin sake rubuta duk fayilolin da aka ci karo da su.
Saki na node-ipc 11.0.0 da 11.1.0 daga baya an buga su zuwa ma'ajiyar NPM, wanda ya maye gurbin ginanniyar lambar ɓarna tare da dogaro na waje, "peacenotwar," wanda marubucin ke sarrafawa kuma an ba da shi don haɗawa da masu kula da kunshin. don shiga zanga-zangar. An bayyana cewa kunshin peacenotwar yana nuna saƙo ne kawai game da zaman lafiya, amma la'akari da ayyukan da marubucin ya rigaya ya ɗauka, ƙarin abubuwan da ke cikin kunshin ba su da tabbas kuma babu tabbacin sauye-sauye masu lalacewa.
A lokaci guda, an fitar da sabuntawa zuwa ga barga node-ipc 9.2.2 reshe, wanda aikin Vue.js ke amfani da shi. A cikin sabon sakin, ban da peacenotwar, an kuma ƙara kunshin launuka cikin jerin abubuwan dogaro, wanda marubucin ya haɗa sauye-sauye masu lalacewa a cikin lambar a cikin Janairu. An canza lasisin tushen sabon sakin daga MIT zuwa DBAD.
Tun da ƙarin ayyukan marubucin ba su da tabbas, masu amfani da node-ipc ana ba da shawarar su gyara abubuwan dogaro akan sigar 9.2.1. Hakanan ana ba da shawarar gyara juzu'i don wasu ci gaba ta marubucin ɗaya wanda ya kiyaye fakiti 41. Wasu daga cikin fakitin da marubuci iri ɗaya ke kula da su (js-queue, sauki-tari, js-saƙon, taron-pubsub) suna da abubuwan zazzagewa kusan miliyan ɗaya kowane mako.
Ƙari: An yi rikodin wasu yunƙurin don ƙara ayyuka zuwa fakitin buɗewa iri-iri waɗanda ba su da alaƙa da ayyukan aikace-aikacen kai tsaye kuma an ɗaure su da adiresoshin IP ko yankin tsarin. Mafi rashin lahani daga cikin waɗannan canje-canje (es5-ext, rete, PHP composer, PHPUnit, Redis Desktop Manager, Awesome Prometheus Alerts, verdaccio, filestash) tafasa don nuna kira don kawo karshen yakin ga masu amfani daga Rasha da Belarus. A lokaci guda, an kuma gano ƙarin bayyanar cututtuka, alal misali, an ƙara mai ɓoyewa zuwa fakitin AWS Terraform modules kuma an gabatar da ƙuntatawa na siyasa a cikin lasisi. Tasmota firmware don na'urorin ESP8266 da ESP32 suna da alamar haɗin gwiwa wanda zai iya toshe aikin na'urori. An yi imanin cewa irin wannan aikin na iya dagula amincin software na buɗaɗɗen tushe.
source: budenet.ru