qr.js dependency is overtaken
bratsos opened this issue · 2 comments
First of all thanks a lot for your work in this library! Recently, the GitHub project of qr.js (linked by npm) has been compromised and points to an empty repo
There's another repo that contains the original code (AFAICT) linked here and it seems to be the same author.
Not sure what's the best practice is here, from the top of my head in a descending order security-wise, either link directly to the second GitHub repo in your package.json, fork the repo under your account, or even vendor in the minified version of qr.js and include it in your library.
Cheers!
For anyone who is curious about what happened to qr.js, there is a good write up on it at https://blog.sonatype.com/researcher-takes-over-qr.js-via-repo-hijacking.-is-the-npm-package-safe