Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is the Protestware still there? #3

Closed
vworld opened this issue Feb 22, 2023 · 21 comments
Closed

Is the Protestware still there? #3

vworld opened this issue Feb 22, 2023 · 21 comments

Comments

@vworld
Copy link

vworld commented Feb 22, 2023

Hi
Can you please advise which version the protestware was added?

All previous releases are not there and I seem to not find the history too.

Yours is a great package, and I would like to use the one prior to the release when the the protesting codes were added.

Don't want to surprise my users!
@frzsombor
Copy link

frzsombor commented Mar 7, 2023
edited
Loading

Looks like this repo got completely wiped and reinitiated, with code that seems to be dated back before the protestware.
However please note that this could also mean any change in the commit history and code (but this needs verification).

The original (before wipe) latest versions without the "protestware" were:

  • For version v9: v9.2.1
  • For version v10/v11: v10.1.0

For historical purposes:
More info: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
The issue that started all: https://web.archive.org/web/20220317042712/https://github.com/RIAEvangelist/node-ipc/issues/233
Also a drop-in fork: achrinza/node-ipc#1

@RIAEvangelist
Copy link
Owner

RIAEvangelist commented Mar 16, 2023 via email

@miguelcagidefagin
Copy link

I still got the txt file with npm version a month ago.

@RIAEvangelist
Copy link
Owner

RIAEvangelist commented Mar 20, 2023
edited
Loading

@miguelcagidefagin NPM's latest is 11.1.0, You want to you want to pin 10.1.0 from NPM or point your dependency to this repo directly.

As @frzsombor so kindly wrote:

The original (before wipe) latest versions without the "protestware" were:

  • For version v9: v9.2.1
  • For version v10/v11: v10.1.0

I also recommend you run 'is-my-node-supply-chain-secure' to see how many vulnerable packages you have on your computer. It will scan all your packages system-wide and report which ones are the most likely to have supply chain vulnerabilities in them. It can take a long time depending on how big your system is, you will see each package pop up in the terminal when a vulnerability is found.

Remember to pin your deps at all times. npm-pin-dependencies
might be helpful to use from time to time. Also, remember to use npm ci instead of npm i when possible. If you don't know what pinning is yet, read this article on pinning

I am working with NPM to regain account access now so I can update the package to be optional.

Repository owner deleted a comment from VirtualZer0 Mar 26, 2023
@asafkorem asafkorem mentioned this issue Apr 18, 2023
Closed
Repository owner deleted a comment from elandorr Jun 26, 2023
@surajpratap
Copy link

I hope no more protestwares will be added. Had to go through lot of pain to remove node-ipc from a project earlier. I'll be looking forward to contributing.

@RIAEvangelist
Copy link
Owner

I am sorry for that, there won't be any more protest ware like that. I will be moving the current stuff to the console log as the first update too.

Repository owner deleted a comment from sy-python Dec 14, 2023
@tilkinsc
Copy link

tilkinsc commented Feb 4, 2024
edited
Loading

Seems like the https://www.npmjs.com/package/node-ipc package is still pushing the version with the protestware npm -v 10.4.0 node -v 21.6.1 btw

@RIAEvangelist
Copy link
Owner

v10.1.0 is the latest which does not make a request for peace.

If users find that offensive then just set it to that version as it is the latest before all this crap happened.

Latest also has some other updates to it too, however, none are critical that I am aware of. When the war is over the module will no longer make a call for peace.

@RIAEvangelist
Copy link
Owner

The description is above already as well.

@jdeg
Copy link

jdeg commented Feb 9, 2024

@RIAEvangelist I'm using the version 10.1.0 but it keeps showing the ♥ symbol in the console. Is that also part of the protestware? is there a way to remove it?

@RIAEvangelist
Copy link
Owner

RIAEvangelist commented Feb 17, 2024 via email

Repository owner deleted a comment from gamer191 Mar 24, 2024
Repository owner deleted a comment from gamer191 Mar 27, 2024
@dkarski dkarski mentioned this issue May 14, 2024
Merged
@ramazansancar
Copy link

It might make sense to publish a new version here to solve the 'protestware' and 'peacenotwar' problems. @RIAEvangelist

https://www.npmjs.com/package/node-ipc

Hello from Turkey 🙌

@RIAEvangelist
Copy link
Owner

I am open to suggestions as to the best way to resolve this. Perhaps a flag of some kind?

@ramazansancar
Copy link

By releasing v12.0 as the NPM version, it can be declared that there are no problems with 12 and later. This seems to be the fastest and most effective solution. The library called @latest will be released as the latest version, v12.0.

@xahon
Copy link

xahon commented Jul 30, 2024

Don't use, malware could be injected anytime

@ramazansancar
Copy link

By releasing v12.0 as the NPM version, it can be declared that there are no problems with 12 and later. This seems to be the fastest and most effective solution. The library called @latest will be released as the latest version, v12.0.

Hasn't a solution been implemented for this place yet? @RIAEvangelist

@RIAEvangelist
Copy link
Owner

@ramazansancar as it stands, currently people can choose to use the older version or the current version, all features are the same.

There is so much war happening in the world today, we could put this behind an option and allow engineers to decide for themselves where they stand.

Everything harkens back to what happened in World War 2. It is easy to forget what happened now that it has been so long.

The whole world has gone crazy for the past few years. I am open to PRs.

@RIAEvangelist
Copy link
Owner

@ramazansancar just pushed the changes to GH. The war is now bidirectional and they will figure things out their way. People of the world should pray for peace and no more forced or carried on bloodshed.

One day, this all will change, treat people the same
Stop with the violence, down with the hate
One day, we'll all be free and proud to be
Under the same sun, singin' songs of freedom

I understand why this is happening, I just don't agree with continued bloodshed, fighting, hate and destruction. It is sad. Hopefully ML and AI can help with this in more than one way, and bring about an era of prosperity and peace without war where people can be free to understand themselves and this place in freedom and joy.

v12.0.0 will be released as suggested. I'm going to push another as this issue and your suggestion qualify you to be a contributor now because you had a direct impact and positive suggestion without hate.

Thank you.

@ramazansancar
Copy link

@RIAEvangelist Thank you for your understanding and taking action to correct this.

Hello from Turkey 🙌

@DasElias
Copy link

DasElias commented Sep 2, 2024

Hi,

I want to use this package and am a bit confused. Does this package in the latest version (v12) still contain any malware/protestware, or is it now safe to use?

@ramazansancar
Copy link

Hi,

I want to use this package and am a bit confused. Does this package in the latest version (v12) still contain any malware/protestware, or is it now safe to use?

The latest version does not contain viruses and is reliable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@RIAEvangelist @surajpratap @frzsombor @tilkinsc @vworld @jdeg @ramazansancar @xahon @DasElias @miguelcagidefagin