legacy-swc-helpers critical vulnerability #9400

CarlOfHoly · 2024-08-08T11:44:33Z

CarlOfHoly
Aug 8, 2024

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

My project has it as a dependency, but from package-lock I can see that

    "node_modules/legacy-swc-helpers": {
      "name": "@swc/helpers",
      "version": "0.4.14",
      "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.4.14.tgz",
      "integrity": "sha512-4C7nX/dvpzB7za4Ql9K81xK3HPxCpHMgwTZVyf+9JQ6VUbn9jjZVN7/Nkdz/Ugzs2CSjqnL/UPXroiVBVHUWUw==",
      "dependencies": {
        "tslib": "^2.4.0"
      }
    },

it resolves to @swc/helpers v 0.4.14. Does that mean that I am safe?

magic-akari · 2024-08-08T12:13:30Z

magic-akari
Aug 8, 2024
Maintainer

I suspect that someone recently registered the package "legacy-swc-helpers": https://www.npmjs.com/package/legacy-swc-helpers. However, this name used by "@swc/[email protected]" is merely a reference to the old swc helpers package and does not actually point to the package on npm.
So you should not encounter any issues.

12 replies

kdy1 Aug 30, 2024
Maintainer

@magic-akari Do you have the source code? IIRC we didn't commit it to the repository intentionally

magic-akari Aug 30, 2024
Maintainer

@magic-akari Do you have the source code? IIRC we didn't commit it to the repository intentionally

We can download it from npm.
It's @swc/[email protected].
We won't update it since it's for historical reasons.

~~Or you can just put a single index.js with content：~~

// @swc/legacy-helpers/index.js
module.exports = require("@swc/hepers");

~~and include @swc/[email protected] as dependencies.~~

Edited: there are more the one entries. Re-exporting cannot handle it.

zachmerrill Oct 9, 2024

Any update on a resolution for this? GitHub is still flagging this dependency.

kdy1 Oct 9, 2024
Maintainer

I'll do this right away. Sorry, I forgot about it.

kdy1 Oct 10, 2024
Maintainer

@swc/[email protected] should have this issue fixed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

legacy-swc-helpers critical vulnerability #9400

{{title}}

Replies: 1 comment 12 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

legacy-swc-helpers critical vulnerability #9400

CarlOfHoly Aug 8, 2024

Replies: 1 comment · 12 replies

magic-akari Aug 8, 2024 Maintainer

kdy1 Aug 30, 2024 Maintainer

magic-akari Aug 30, 2024 Maintainer

zachmerrill Oct 9, 2024

kdy1 Oct 9, 2024 Maintainer

kdy1 Oct 10, 2024 Maintainer

CarlOfHoly
Aug 8, 2024

Replies: 1 comment 12 replies

magic-akari
Aug 8, 2024
Maintainer

kdy1 Aug 30, 2024
Maintainer

magic-akari Aug 30, 2024
Maintainer

kdy1 Oct 9, 2024
Maintainer

kdy1 Oct 10, 2024
Maintainer