legacy-swc-helpers critical vulnerability #9400

CarlOfHoly · 2024-08-08T11:44:33Z

CarlOfHoly
Aug 8, 2024

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

My project has it as a dependency, but from package-lock I can see that

    "node_modules/legacy-swc-helpers": {
      "name": "@swc/helpers",
      "version": "0.4.14",
      "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.4.14.tgz",
      "integrity": "sha512-4C7nX/dvpzB7za4Ql9K81xK3HPxCpHMgwTZVyf+9JQ6VUbn9jjZVN7/Nkdz/Ugzs2CSjqnL/UPXroiVBVHUWUw==",
      "dependencies": {
        "tslib": "^2.4.0"
      }
    },

it resolves to @swc/helpers v 0.4.14. Does that mean that I am safe?

magic-akari · 2024-08-08T12:13:30Z

magic-akari
Aug 8, 2024
Collaborator

I suspect that someone recently registered the package "legacy-swc-helpers": https://www.npmjs.com/package/legacy-swc-helpers. However, this name used by "@swc/helpers@0.4.16" is merely a reference to the old swc helpers package and does not actually point to the package on npm.
So you should not encounter any issues.

12 replies

kdy1 Aug 30, 2024
Maintainer

@magic-akari Do you have the source code? IIRC we didn't commit it to the repository intentionally

magic-akari Aug 30, 2024
Collaborator

@magic-akari Do you have the source code? IIRC we didn't commit it to the repository intentionally

We can download it from npm.
It's @swc/helpers@0.4.14.
We won't update it since it's for historical reasons.

~~Or you can just put a single index.js with content：~~

// @swc/legacy-helpers/index.js
module.exports = require("@swc/hepers");

~~and include @swc/helpers@0.4.14 as dependencies.~~

Edited: there are more the one entries. Re-exporting cannot handle it.

zachmerrill Oct 9, 2024

Any update on a resolution for this? GitHub is still flagging this dependency.

kdy1 Oct 9, 2024
Maintainer

I'll do this right away. Sorry, I forgot about it.

kdy1 Oct 10, 2024
Maintainer

@swc/helpers@0.4.37 should have this issue fixed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

legacy-swc-helpers critical vulnerability #9400

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 12 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

legacy-swc-helpers critical vulnerability #9400

Uh oh!

CarlOfHoly Aug 8, 2024

Replies: 1 comment · 12 replies

Uh oh!

Uh oh!

magic-akari Aug 8, 2024 Collaborator

Uh oh!

kdy1 Aug 30, 2024 Maintainer

Uh oh!

Uh oh!

magic-akari Aug 30, 2024 Collaborator

Uh oh!

zachmerrill Oct 9, 2024

Uh oh!

kdy1 Oct 9, 2024 Maintainer

Uh oh!

kdy1 Oct 10, 2024 Maintainer

CarlOfHoly
Aug 8, 2024

Replies: 1 comment 12 replies

magic-akari
Aug 8, 2024
Collaborator

kdy1 Aug 30, 2024
Maintainer

magic-akari Aug 30, 2024
Collaborator

kdy1 Oct 9, 2024
Maintainer

kdy1 Oct 10, 2024
Maintainer