-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bats-file npm package removed by security team #44
Comments
Thanks for the report. This is the first time I hear about that. We will have to inquire with npm to get more details. I see following potential reasons:
Anyway we will have to investigate. |
The description text mentioned above is gone now. |
I did not yet hear back from the npm team. However, internal discussion showed that we never published a bats-file package. This means the package you linked to was published by a third party. Unfortunately, this means we don't know what was in that package. |
bats-file (this repo) was forked from a long-time bats community member's bats-file. The original repo contained a package.json that was initially used primarily as a means to simplify the installation of sibling bats projects for testing. I don't believe the package.json was ever used as a means of publishing bats-file itself. This is demonstrated by it being configured as |
I see the issue is still open and no final resolution posted. In that sense, as far as I can see when looking to bats-support and bats-assert, these packages are also only owned by a bats-core member @jasonkarns but not the org itself. |
There has been internal discussion about this topic but there is no final decision or timeline, yet. |
@martin-schulze-vireso if you want you can include me in the internal discussion about this, I have a natural interest on "packaging" tasks and I have experience with most of the different distros and language-related package. :) |
I am not sure which chat you are talking about exactly. We are still evaluating where to bundle internal communication. With regard to this issue: the current idea is to provide official npm packages under the bats scope to prevent a vacuum that can be filled by nefarious actors. |
According to https://www.npmjs.com/package/bats-file:
Clicking the link goes to github advisories, but nothing is listed there for bats-file.
Do you have any context on this?
The text was updated successfully, but these errors were encountered: