electrode-io/electrode-native

CVE-2022-23812: YOUR CODE IS INFECTED WITH MALICIOUS DEPENDENCY - node-ipc

lgg opened this issue · 1 comments

lgg commented

Newest version of node-ipc delete all users's files from device. You should not use this dependency anymore!

You can learn more here: https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c

Check possible solution that already applied in vue.js: vuejs/vue-cli#7054 (comment)

also check more here: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/

Hi @lgg - Thanks for the heads-up. The version of node-ipc we declare in package.json is ^9.1.4 (locked to 9.2.1 in yarn.lock). Version 9.2.1 is not affected by this exploit. Just to make extra sure, I'll remove the caret and specify version 9.2.1 explicitly to avoid any unintended upgrades in the future to a version that is affected.