Hi,
I'm a Cybersecurity researcher developing PackjGuard [1]. Our tool has detected a dependency confusion vulnerability in this repository.
The package @getnova/components mentioned in the README at line 19 does not exist on public NPM registry. A bad actor can hijack this package to propagate malicious code.
Not only your apps/service is vulnerable to this attack, but the users of your open-source Github repo are also vulnerable to this attack.
Please register a placeholder package for @getnova/components on public NPM soon to remediate.
Thanks!
- PackjGuard is a Github app that monitors repos for malicious/vulnerable dependencies and mitigates attacks by creating pull requests for automatic remediation https://github.com/marketplace/packjguard
Hi,
I'm a Cybersecurity researcher developing PackjGuard [1]. Our tool has detected a dependency confusion vulnerability in this repository.
The package
@getnova/componentsmentioned in the README at line 19 does not exist on public NPM registry. A bad actor can hijack this package to propagate malicious code.Not only your apps/service is vulnerable to this attack, but the users of your open-source Github repo are also vulnerable to this attack.
Please register a placeholder package for
@getnova/componentson public NPM soon to remediate.Thanks!