duskload/react-device-detect

Malware in dependency

quaspar opened this issue · 5 comments

quaspar commented

ua-parser-js has been hijacked and installs malware on your computer. Check it’s npm page.
fix dependency to version 0.7.28 as later versions are dangerous.

duskload commented

@quaspar Thanks for the report. I use 0.7.28 and never was updated to 0.7.29.

react-device-detect/package.json

Line 65 in ebd50cd

"ua-parser-js": "^0.7.28"

quaspar commented

But the carret means you will get 0.7.29 if you update now. Change to 0.7.28 (without carret).

duskload commented

But the carret means you will get 0.7.29 if you update now. Change to 0.7.28 (without carret).

Thanks for pointing this out, you are right. I will update and upload new version soon.

  • ❤️1
duskload commented

@quaspar Thanks again, new version already on npm.

  • 🚀2
bpod commented

Maybe this should be locked to the latest patch version that came out? 0.7.30.

https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js

  • 👍1
  • 👀1