On 21/02/2021 16:43, Rene Engelhard wrote:
And LibreOffice Online *does* use npm. So while LibreOffice itself shouldn't be affected, conceptually by using npm LibreOffce Online is.
I think if you use 'npm install' (or 'yarn install'), the manager should be pulling in the correct version and then hash checking based on the contents of the .lock file. Running `npm update`, `npm install <new package>` or similar may be affected.
The real issue is when a new dependency gets added or updated but everything seems normal, in that the replacement dependency has stubs to not make the code crash, but also does nefarious things in the background. There would be no way to know without deep inspection, and npm dependency trees are usually huge.
-- Andrew
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ LibreOffice mailing list LibreOffice@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/libreoffice
