Vulnerability - Malware in legacy-swc-helpers

Question

Vulnerability - Malware in legacy-swc-helpers

ctrichereau opened this issue 4 months ago · 6 comments

Describe the bug
Yarn audit return an error :

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Malware in legacy-swc-helpers │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ legacy-swc-helpers │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fontkit │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fontkit > @swc/helpers > legacy-swc-helpers │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1098484 │
└───────────────┴─────────────────────────────────────

Advisory text :
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

To Reproduce
Install latest version : 2.0.2
Run yarn audit

Expected behavior
No error

Thanks in advance

Answer 1 · 2024-08-08T17:42:14.000Z

Seems like a false positive (that dependency does not appear in our lock file), but we can try to upgrade @swc/helpers.

Answer 2 · 2024-08-09T06:03:31.000Z

Seems like a false positive (that dependency does not appear in our lock file), but we can try to upgrade @swc/helpers.

Thanks for your prompt reply.

We found this our lock file :

"@swc/helpers@^0.4.2":
  version "0.4.36"
  resolved "https://registry.yarnpkg.com/@swc/helpers/-/helpers-0.4.36.tgz#fcfff76ed52c214f357e8e9d3f37b568908072d9"
  integrity sha512-5lxnyLEYFskErRPenYItLRSge5DjrJngYKdVjRSrWfza9G6KkgHEXi0vUZiyUeMU5JfXH1YnvXZzSp8ul88o2Q==
  dependencies:
    legacy-swc-helpers "npm:@swc/helpers@=0.4.14"
    tslib "^2.4.0"

I looked at the package.json file of fontkit and this dependency is called as follows: "@swc/helpers": "^0.4.2"
So the last minor version of @swc/helpers is called: version 0.4.36.
Only version 0.4.36 carries the dependency that contains the vulnerability. Lower and higher versions do not.
https://www.npmjs.com/package/@swc/helpers/v/0.4.36

Updating to the latest version seems like the best idea, but I can’t measure the impact it can have.

Answer 3 · 2024-08-09T14:41:44.000Z

Hopefully, someone from the contributors can pick the suggested PR, and release, to unlock the other depending packages 😊

Answer 4 · 2024-08-09T14:52:04.000Z

legacy-swc-helpers "npm:@swc/helpers@=0.4.14"

this is just an alias, it doesn't actually pull in legacy-swc-helpers from npm I believe.

Answer 5 · 2024-08-09T14:54:51.000Z

Published the change in v2.0.3.

Answer 6 · 2024-08-09T19:21:06.000Z

Looks like this broke the CommonJS build unfortunately - #345

update: should be fixed in v2.0.4