I-GitHub ishicilele imiphumela yokuhlaziywa kokuhlasela, okubangele ukuthi ngo-Ephreli 12, abahlaseli bathole ukufinyelela ezindaweni ezingamafu kusevisi ye-Amazon AWS esetshenziswe engqalasizinda yephrojekthi ye-NPM. Ukuhlaziywa kwesigameko kubonise ukuthi abahlaseli bathole ukufinyelela kumakhophi ayisipele we-skimdb.npmjs.com, okuhlanganisa nesizindalwazi esigciniwe esinemininingwane cishe yabasebenzisi be-NPM abayizinkulungwane eziyi-100 kusukela ngo-2015, okuhlanganisa amagama ayimfihlo, amagama nama-imeyili.
Ama-hashi wephasiwedi adalwe kusetshenziswa ama-algorithms anosawoti we-PBKDF2 noma i-SHA1, athathelwe indawo ngo-2017 yi-bcrypt enonya kakhulu engaphoqeleli. Uma isigameko sesihlonziwe, amagama ayimfihlo athintekile asethwa kabusha futhi abasebenzisi bazisiwe ukuthi bahlele iphasiwedi entsha. Njengoba ukuqinisekiswa kwezinto ezimbili okuyisibopho ngokuqinisekiswa kwe-imeyili kufakwe ku-NPM kusukela ngoMashi 1, ubungozi bokungena ebucayini komsebenzisi bubhekwa njengento engasho lutho.
Ngaphezu kwalokho, wonke amafayela e-manifest kanye nemethadatha yamaphakheji ayimfihlo kusukela ngo-April 2021, amafayela e-CSV anohlu lwakamuva lawo wonke amagama nezinguqulo zamaphakheji ayimfihlo, kanye nokuqukethwe kwawo wonke amaphakheji ayimfihlo amaklayenti amabili e-GitHub (amagama). azidalulwa) zawela ezandleni zabahlaseli. Ngokuqondene nendawo yokugcina izinto, ukuhlaziya imikhondo nokuqinisekiswa kwama-hashes ephakeji akuzange kuveze abahlaseli abenza izinguquko kumaphakheji e-NPM noma bashicilela izinguqulo ezintsha zamaphakeji.
Lokhu kuhlasela kwenzeke ngo-Ephreli 12 kusetshenziswa amathokheni e-OAuth antshontshiwe akhiqizwe abahlanganisi ababili be-GitHub abavela eceleni, i-Heroku ne-Travis-CI. Besebenzisa amathokheni, abahlaseli bakwazi ukukhipha kumakhosombe angasese e-GitHub ukhiye wokufinyelela i-Amazon Web Services API, esetshenziswe kungqalasizinda yephrojekthi ye-NPM. Ukhiye owumphumela uvumele ukufinyelela kudatha egcinwe kusevisi ye-AWS S3.
Ukwengeza, ulwazi lwadalulwa mayelana nezinkinga zobumfihlo ezinkulu ezihlonzwe ngaphambili lapho kusetshenzwa idatha yomsebenzisi kumaseva e-NPM - amaphasiwedi abanye abasebenzisi be-NPM, kanye namathokheni okufinyelela e-NPM, agcinwe embhalweni ocacile kumalogi angaphakathi. Ngesikhathi sokuhlanganiswa kwe-NPM nohlelo lokugawula lwe-GitHub, abathuthukisi abazange baqinisekise ukuthi ulwazi olubucayi lususiwe ezicelweni eziya kumasevisi e-NPM afakwe kulogi. Kusolakala ukuthi iphutha lalungiswa kwasuswa izingodo ngaphambi kokuhlasela kwe-NPM. Izisebenzi ezithile ze-GitHub kuphela ezazikwazi ukufinyelela izingodo, ezazihlanganisa namaphasiwedi omphakathi.
Source: opennet.ru