Skip to content

Release v25.07.1

Choose a tag to compare

View all tags
@ShahanaFarooqui ShahanaFarooqui released this 09 Sep 03:56
· 1 commit to main since this release
v25.07.1
7dadc73

Summary

This release implements an urgent, proactive mitigation against a widespread npm ecosystem threat involving malicious code in popular packages.

Important Context

While the application does not directly use these compromised packages, they are indirect dependencies pulled in by other libraries. Crucially, our existing package-lock.json did not include the known infected versions. However, the volatile nature of the npm registry means that a fresh npm install performed today could potentially pull in a malicious version. This release eliminates that risk.

This update is a temporary safeguard to ensure continuous protection while the situation remains active and upstream maintainers work on permanent solutions.

Action Taken

We have implemented mandatory dependency overrides to enforce known secure versions of all at-risk packages across our entire dependency tree. It:

  • Forces npm to ignore vulnerable version ranges specified by any indirect dependency.
  • Pins and guarantees the use of audited, safe versions.
  • Protects the application from the specific data exfiltration and credential theft attempts executed by the compromised packages.

Required User Actions

To apply this critical mitigation, users must perform a clean installation. Please follow these steps precisely:

  • Ensure you are on the latest version
  • Run npm ci which uses the updated lockfile to ensure exact, secure versions
  • Rebuild the Application with npm run build
  • Remove Development Dependencies with npm prune --omit=dev

Next Steps & Long-Term Solution

This override is a defensive best practice to ensure security. We are actively monitoring the official npm repositories for permanent patches and statements from the affected package maintainers. We will issue a subsequent update to remove these overrides and upgrade all dependencies to their official, stable versions as soon as they become available and are vetted.

References

For an in-depth analysis of the vulnerability and the discovered malicious code, please read the original disclosure:
https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the

Assets 5
Loading