Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qr.js dependency is overtaken #177

Open
bratsos opened this issue Dec 1, 2021 · 2 comments
Open

qr.js dependency is overtaken #177

bratsos opened this issue Dec 1, 2021 · 2 comments

Comments

@bratsos
Copy link

bratsos commented Dec 1, 2021

First of all thanks a lot for your work in this library! Recently, the GitHub project of qr.js (linked by npm) has been compromised and points to an empty repo

There's another repo that contains the original code (AFAICT) linked here and it seems to be the same author.

Not sure what's the best practice is here, from the top of my head in a descending order security-wise, either link directly to the second GitHub repo in your package.json, fork the repo under your account, or even vendor in the minified version of qr.js and include it in your library.

Cheers!
@bratsos bratsos changed the title qr.js dependency is over taken qr.js dependency is overtaken Dec 1, 2021
@cstenglein cstenglein mentioned this issue Apr 17, 2022
Closed
@rosskhanas
Copy link
Owner

nayuki/QR-Code-generator#155

@yoDon
Copy link

yoDon commented Dec 23, 2022

For anyone who is curious about what happened to qr.js, there is a good write up on it at https://blog.sonatype.com/researcher-takes-over-qr.js-via-repo-hijacking.-is-the-npm-package-safe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yoDon @rosskhanas @bratsos