-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
session private messenger does not consider supply chain attacks yet? #2321
Comments
The dependency chain is quite gigantic. I am not an NPM expert. Someone I trust sent me the following NPM dependency tree. Considering the previous backdoor in the dependency chain of copy, it seems quite likely to be that any of the following 500 dependencies might be malicious.
|
Why this might matter in practice, see separate ticket: (Which are are known vulnerabilities, not deliberate, explicit, direct backdoors such as the copay backdoor.) |
We don't use npm in Session desktop, we use Yarn, so "Yarn audit" would be the correct command to run, generally we try to apply fixes to critical issues as they arise, however not every automatically flagged vulnerability will actually be an exploitable vulnerability in Session. So reports like this are often not indicative of actual security in Session. |
In addition to Kee's comment: On Session desktop, we pin the versions of the packages we are using in the Looking at that thread you posted, it is about the package So for instance, if we somehow used the I hope this helps |
The copay wallet (hosted by bitpay, a big Bitcoin payment processing company) had backdoor:
sources:
How does session private messenger mitigate such issues supply chain attacks?
The text was updated successfully, but these errors were encountered: