Hacker News new | past | comments | ask | show | jobs | submit login

The version numbers aren't immutable, so an attacker can just update the versions to point to the compromised code, which is what happened here. Commit hashes are a great idea, but you still need to be careful: lots of people use bots like Renovate to update your pinned hashes whenever a new version is published, which runs into the same problem.



I don't think that's exactly what happened here: the compromise created new tags but generally the tag consumption relies on semantic versioning

In other words: you specify version 44, the attacker creates 44.1, you're still hosed.


No you literally can (and the attackers did) change version 44 (the tag for it) to point to a different compromised commmit


Yes, you're right. I wasn't able to double-check as the repo was deleted at the time. That said, AIUI making the tags read-only would still often be vulnerable to semantic-version exploitation.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: