I-GitHub idalule izigameko ezimbili kungqalasizinda yayo yephakeji ye-NPM. Ngomhla zi-2 kuNovemba, abacwaningi bezokuphepha benkampani yangaphandle (u-Kajetan Grzybowski no-Maciej Piechota), njengengxenye yohlelo lwe-Bug Bounty, babike ukuba sengozini kwendawo ye-NPM ekuvumela ukuthi ushicilele inguqulo entsha yanoma iyiphi iphakheji usebenzisa i-akhawunti yakho, engagunyaziwe ukwenza izibuyekezo ezinjalo.
Ukuba sengozini kudalwe ukuhlolwa kwemvume okungalungile kukhodi yamasevisi amancane acubungula izicelo ku-NPM. Isevisi yokugunyaza yenza ukuhlolwa kwemvume yephakheji ngokusekelwe kudatha edluliselwe esicelweni, kodwa enye isevisi elayishe isibuyekezo endaweni yokugcina inqume ukuthi iphakheji izoshicilelwa ngokusekelwe kokuqukethwe kwemethadatha yephakheji elayishiwe. Ngakho, umhlaseli angacela ukushicilelwa kwesibuyekezo sephakeji lakhe, akwazi ukufinyelela kulo, kodwa acacise ephaketheni ngokwalo ulwazi olumayelana nelinye iphakheji, elizogcina libuyekeziwe.
Inkinga yalungiswa emahoreni angu-6 ngemva kokubikwa kobungozi, kodwa ubungozi babukhona ku-NPM isikhathi eside kunekhava yamalogi e-telemetry. I-GitHub ithi akukaze kube khona iminonjana yokuhlaselwa kusetshenziswa lobu bungozi kusukela ngoSepthemba 2020, kodwa asikho isiqinisekiso sokuthi le nkinga ayizange isetshenziswe ngaphambilini.
Isigameko sesibili senzeka ngo-Okthoba 26. Ngesikhathi somsebenzi wezobuchwepheshe nesizindalwazi sesevisi ye-replicate.npmjs.com, ukuba khona kwedatha eyimfihlo kusizindalwazi esifinyeleleka ezicelweni zangaphandle kwembulwa, okuveza ulwazi olumayelana namagama amaphakheji angaphakathi ashiwo kulogi yoshintsho. Ulwazi olumayelana namagama anjalo lungasetshenziswa ukwenza ukuhlaselwa kokuncika kumaphrojekthi angaphakathi (ngoFebhuwari, ukuhlasela okufanayo kuvunyelwe ikhodi ukuthi yenziwe kumaseva e-PayPal, iMicrosoft, i-Apple, i-Netflix, i-Uber nezinye izinkampani ezingama-30).
Ngaphezu kwalokho, ngenxa yokwanda kwenani lezinqolobane zamaphrojekthi amakhulu antshontshwayo kanye nekhodi enonya ekhuthazwa ngokusebenzisa ama-akhawunti onjiniyela afaka engozini, i-GitHub inqume ukwethula ukuqinisekiswa kwezinto ezimbili okuyisibopho. Ushintsho luzoqala ukusebenza ngekota yokuqala ka-2022 futhi luzosebenza kubanakekeli nabaphathi bamaphakheji afakwe ohlwini oludume kakhulu. Ukwengeza, kubikwa mayelana nokwenza ngcono ingqalasizinda, lapho kuzokwethulwa ukuqapha okuzenzakalelayo nokuhlaziywa kwezinguqulo ezintsha zamaphakheji ukuze kutholwe izinguquko ezinonya kusenesikhathi.
Masikhumbule ukuthi, ngokocwaningo olwenziwa ngo-2020, bangama-9.27% ββkuphela abagcini bephakheji abasebenzisa ukuqinisekiswa kwezinto ezimbili ukuze bavikele ukufinyelela, futhi ku-13.37% yamacala, lapho kubhaliswa ama-akhawunti amasha, abathuthukisi bazama ukuphinda basebenzise amaphasiwedi abonakalisiwe avele ukuvuza kwephasiwedi okwaziwayo. Ngesikhathi sokubuyekezwa kwezokuphepha kwephasiwedi, u-12% wama-akhawunti we-NPM (13% wamaphakeji) afinyelelwe ngenxa yokusetshenziswa kwamagama ayimfihlo abikezelwayo nangasho lutho njengokuthi β123456.β Phakathi kwezinkinga kwakukhona ama-akhawunti abasebenzisi angu-4 avela kumaphakheji aziwa kakhulu angu-20, ama-akhawunti angu-13 anamaphakheji alandwe izikhathi ezingaphezu kwezigidi ezingu-50 ngenyanga, angu-40 ngokulandwa okungaphezu kwezigidi ezingu-10 ngenyanga, kanti angu-282 ngokulanda okungaphezu kwesigidi esisodwa ngenyanga. Uma kucatshangelwa ukulayishwa kwamamojula ochungechungeni lokuncika, ukuthotshiswa kwama-akhawunti angathembekile kungase kuthinte kufike ku-1% wawo wonke amamojula ku-NPM.
Source: opennet.ru