Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cesium dependency on es5-ext protestware trojan #10919

Closed
cfairchi opened this issue Nov 22, 2022 · 4 comments · Fixed by #11968
Closed

Cesium dependency on es5-ext protestware trojan #10919

cfairchi opened this issue Nov 22, 2022 · 4 comments · Fixed by #11968
Labels
category - tooling

Comments

@cfairchi
Copy link

Cesium has a dependency on gulp@4.02 -> undertaker@1.3.0 -> es6-weak-map@2.0.3 -> es5-ext

es5-ext_postinstall.js is flagged as a Trojan

SHA-256: 921812FD619E8E575AB52F426E2F47DD313787DB49C7C938A7A52D0F403C16EE
SHA-1: 4E7D5E7992F67E6EA4D602D8145360890EDD1C3D
MD5: 078B8FFDCEC9D4DD803B73E2CE332384
THREAT NAME: Script.Trojan.A6117991
File: node_modules\es5-ext_postinstall.js
Quick Heal: Script.Trojan.A6117991

It appears to be protestware and is blocking us from using cesium as it won't pass virus scans.
https://medium.com/checkmarx-security/new-protestware-found-lurking-in-highly-popular-npm-package-d46f8ba67e36

image
@cfairchi
Copy link
Author

gulpjs/gulp#2704

@ggetz
Copy link
Contributor

ggetz commented Nov 28, 2022
edited

Thanks for the report @cfairchi!

To clarify, this an issue when using the zip file or running npm install from the root directory, correct? If so, as a workaround you may avoid installing gulp and the other devDependencies by using the --production flag, however you will not be able to run any of the development scripts.

To resolve the root issue, we can either wait, and update gulp when they release the next major version (which will hopefully happen soon), or remove the gulp dependency.

@Atulin
Copy link

Atulin commented Feb 15, 2023

Gulp hasn't had a new release for 4 years now, and nothing makes me believe they'll have one for at least 4 more years, if at all. I'm afraid withering or removing Gulp dependency are the only choices.

@Dimava
Copy link

Dimava commented Mar 18, 2023

This can be solved by forcing an exact version of es5-ext (the example below works with Yarn)

<package.json>
  "resolutions": {
    "es5-ext": "0.10.53"
  }

@ggetz ggetz mentioned this issue May 3, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
category - tooling
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update to gulp 5 CesiumGS/cesium
4 participants
@cfairchi @ggetz @Atulin @Dimava