- Use only the
package.jsonmanifest - Run
yarn install - Check
/tmp/world.txt(should be empty) - Update the
yarn.lockfile with the one provided in this gist - Run
yarn install(oryarn install --frozen-lockfilewhich is also susceptible to this attack vector) - Confirm
/tmp/world.txtis now created on the filesystem
Last active
December 23, 2019 23:15
-
-
Save lirantal/38c4b735a008dd1badca31e17f64510a to your computer and use it in GitHub Desktop.
lockfile-lint concerns with yarn.lock
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "lla", | |
| "version": "1.0.0", | |
| "description": "", | |
| "main": "index.js", | |
| "scripts": { | |
| "test": "echo \"Error: no test specified\" && exit 1" | |
| }, | |
| "keywords": [], | |
| "author": "", | |
| "license": "ISC", | |
| "dependencies": { | |
| "debug": "^4.1.1", | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |
| # yarn lockfile v1 | |
| debug@^4.1.1: | |
| version "4.1.1" | |
| resolved "https://registry.yarnpkg.com/debug/-/debug-4.1.1.tgz#3b72260255109c6b589cee050f1d516139664791" | |
| integrity sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw== | |
| dependencies: | |
| ms "^2.1.1" | |
| ms@^2.1.1: | |
| version "2.1.1" | |
| resolved "https://github.com/lirantal/ms/tarball/master" | |
| integrity sha512-DlpjtaUS9RFy3q9oagI6RWUkIIk8UOJ+ZwxqlZ+y3sKvk3n93nD9gL/Nw06xI5i8YTqT9Q5znTs6HzVZO9BjDQ== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment