FA+
Shop
JS devs beware: avoid node-ipc + CVE! + Updates suck?!
3 years ago
TL;DR: Avoid installing node-ipc for a while. News might be old by now but you might want to read here: https://security.snyk.io/vuln/SNYK-.....ODEIPC-2426370
Longer story:
So I was browsing Youtube and sometimes I peek into uber-private-ist channels just to see if there is any interesting topic. Now, I personally know the usage of node-ipc myself and was surprised to see it there. But since I do NOT consent to the wording and phrasing in this video, I won't link it. You can find it on "Metal Outlaw"'s channel. Amidst the end and partially in the middle, there are phrasings which I consider homophobic and racist - and generally very toxic ("[...] one clean cut away from femboy").
If you want to ensure to not run into issues like this, make sure you take advantage of free services like Travis for your test integration and general CI and DON'T UPDATE IMMEDIATELY - EVER. Not all updates are good, and not all updates fix anything of meaning but can end up breaking something else. My E-Mail client, Mailspring, was severely broken due to an error with BetterSQLite and because auto-updates were enforced, I had no choice but to use GMail for the time being, which sucked a lot. It took four days untill the issue was resolved - which, to be fair is not a whole lot - but I am in the middle of trying to find a job. Because I happen to be poor af and energy prices here in germany are only about to explode. Literally. Gas prices are already up 50% at the station near me - I walk past it daily so I know.
Let this be a lesson to be careful with updates. I live on the bleeding edge where possible, but I read every single changelog. Be it Genshin, Mailspring, Discord or even the Twitter app on my phone or Element on any of the platforms I use it on; I end up skipping many updates because I see no value in breaking my most important software. It can not be prohibited in some as updating is mandated by the respective vendor (miHoYo aka. Hoyoverse for Genshin, vector.im for Element and Foundy376 for Mailspring, ...) but if possible, I will skip an update that does not fix a problem I have, might have or a feature I don't care for.
And the example of node-ipc just proves that point. If you need another example, look at what happened to Faker.js although the context of that situation is vastly different from the "protestware" that was implemented in node-ipc.
Just thought I'd let yall know. o.o
Longer story:
So I was browsing Youtube and sometimes I peek into uber-private-ist channels just to see if there is any interesting topic. Now, I personally know the usage of node-ipc myself and was surprised to see it there. But since I do NOT consent to the wording and phrasing in this video, I won't link it. You can find it on "Metal Outlaw"'s channel. Amidst the end and partially in the middle, there are phrasings which I consider homophobic and racist - and generally very toxic ("[...] one clean cut away from femboy").
If you want to ensure to not run into issues like this, make sure you take advantage of free services like Travis for your test integration and general CI and DON'T UPDATE IMMEDIATELY - EVER. Not all updates are good, and not all updates fix anything of meaning but can end up breaking something else. My E-Mail client, Mailspring, was severely broken due to an error with BetterSQLite and because auto-updates were enforced, I had no choice but to use GMail for the time being, which sucked a lot. It took four days untill the issue was resolved - which, to be fair is not a whole lot - but I am in the middle of trying to find a job. Because I happen to be poor af and energy prices here in germany are only about to explode. Literally. Gas prices are already up 50% at the station near me - I walk past it daily so I know.
Let this be a lesson to be careful with updates. I live on the bleeding edge where possible, but I read every single changelog. Be it Genshin, Mailspring, Discord or even the Twitter app on my phone or Element on any of the platforms I use it on; I end up skipping many updates because I see no value in breaking my most important software. It can not be prohibited in some as updating is mandated by the respective vendor (miHoYo aka. Hoyoverse for Genshin, vector.im for Element and Foundy376 for Mailspring, ...) but if possible, I will skip an update that does not fix a problem I have, might have or a feature I don't care for.
And the example of node-ipc just proves that point. If you need another example, look at what happened to Faker.js although the context of that situation is vastly different from the "protestware" that was implemented in node-ipc.
Just thought I'd let yall know. o.o
