The package "sournoise" contains as declared dependency, another package referred to as "axios", so apparently sournoise also should install the official package "axios", as the page links to.
However, there's more than meets the eye, because what's actually doing is to redefine internally what "axios" is in the package.json:
{
"name": "sournoise",
"version": "1.0.1",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"axios": "https://registry.npmjs.org/@putrifransiska/kwonthol36/-/kwonthol36-1.1.4.tgz"
}
}So instead of being only able to define dependencies by its official name like so:
"dependencies": {
"axios"
}
it allows to redefine it to anything, even a direct download:
"dependencies": {
"axios": "https://registry.npmjs.org/@putrifransiska/kwonthol36/-/kwonthol36-1.1.4.tgz"
}
This is extremely unsafe and should not be allowed at all. As reference, AUR packages for Arch can define dependencies, but you are not allows to redefine internally what the dependency is:
depends=('gcc-libs')
makedepends=('git' 'cmake' 'patchelf')This should be addressed immediately, purge completely all unnecessary packages and lock down the database, until this is sorted out.
References:
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.