Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

packages hijacking #157

Open
mytskine opened this issue Jun 30, 2023 · 2 comments
Open

packages hijacking #157

mytskine opened this issue Jun 30, 2023 · 2 comments

Comments

@mytskine
Copy link

  1. I search for "zxcvbn" packages https://asset-packagist.org/package/search?query=zxcvbn
  2. I see that "npm-asset/zxcvbn-ts--core" exists, with a latest release at 3.0.2
  3. I click on the package name and land on https://asset-packagist.org/package/npm-asset/zxcvbn-ts--core
  4. I see that the release "3.0.2" is not listed, and that greater release numbers exist.
    Eventually, I understand that the wrong package ("npm-asset/zxcvbn") is displayed on this page.
  5. I test an install with composer require npm-asset/zxcvbn-ts--core and the wrong package gets installed.
    In other words the package "npm-asset/zxcvbn" has hijacked "npm-asset/zxcvbn-ts--core", though they are unrelated (the latter started as a rewrite of the former, but their APIS are now incompatible).

Unless I'm mistaken, there is no way to install the real package "npm-asset/zxcvbn-ts--core". That's alright, but in any case another incompatible package should never get installed instead.

On a side note, the link on https://asset-packagist.org/package/npm-asset/zxcvbn-ts--core is wrong and sends to a 404 page:
https://npmjs.com/package/zxcvbn-ts--core should become https://www.npmjs.com/package/@zxcvbn-ts/core
@mytskine
Copy link
Author

After some more investigation, it seems that asset-packagist created composer packages only for some of the git tags in the zxcvbn-ts repository. Those tags are those that are shared with zxcvbn. This explains why the old package has hijacked this one.

The problem is still partly there:

  • The releases displayed by asset-packagist were wrong, they were never released under this name on npm. Clicking "Fetch updates from npm" has solved it for this package, but those releases should never have been there.
  • The page now claims "This package is OK to use!" but the SHA column is always at "n/a" with no link to sources.
  • The link to npm is broken.

Surprisingly, forcing composer to install zxcvbn-ts--core@3.0.* did work now, so there is a workaround for the main problem.

@SilverFire
Copy link
Member

Hello!
Thanks for digging! Yes, this is not right and could be improved.
We will leave this issue open and get back to it during the next project maintenance session. And PRs are always welcome if you would like to put some effort into this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mytskine @SilverFire