bats-file npm package removed by security team

[calliecameron]

According to https://www.npmjs.com/package/bats-file:

Security holding package
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.

Please refer to www.npmjs.com/advisories?search=bats-file for more information.

Clicking the link goes to github advisories, but nothing is listed there for bats-file.

Do you have any context on this?

[martin-schulze-vireso]

Thanks for the report. This is the first time I hear about that. We will have to inquire with npm to get more details. I see following potential reasons:

1. The code is too old
2. The code triggered some false positive in automated security scans
3. We actually have some backdoors in the package, either due to an oversight or due to a breach like https://thehackernews.com/2021/09/travis-ci-flaw-exposes-secrets-of.html

Anyway we will have to investigate.

[martin-schulze-vireso]

The description text mentioned above is gone now.

[martin-schulze-vireso]

I did not yet hear back from the npm team.

However, internal discussion showed that we never published a bats-file package. This means the package you linked to was published by a third party.

Unfortunately, this means we don't know what was in that package.

[jasonkarns]

bats-file (this repo) was forked from a long-time bats community member's bats-file.

The original repo contained a package.json that was initially used primarily as a means to simplify the installation of sibling bats projects for testing. I don't believe the package.json was ever used as a means of publishing bats-file itself. This is demonstrated by it being configured as private: true; which prevents publishing. It has remained private for as long as our fork has existed. The package published on npm is not by the bats-core org nor published by any member of the `bats-core org](https://www.npmjs.com/org/bats-core).

[marcelhuberfoo]

I see the issue is still open and no final resolution posted.
Are there plans to adding bats-file as a bats-core org provided npm package?

In that sense, as far as I can see when looking to bats-support and bats-assert, these packages are also only owned by a bats-core member @jasonkarns but not the org itself.
Are there plans to change this situation in the future so that everyone is able to use npm install bats-file as an officially supported package owned by bats-org?

[martin-schulze-vireso]

There has been internal discussion about this topic but there is no final decision or timeline, yet.

[brokenpip3]

@martin-schulze-vireso if you want you can include me in the internal discussion about this, I have a natural interest on "packaging" tasks and I have experience with most of the different distros and language-related package. :)
I also recently joined the chat, will ping you there 👋

[martin-schulze-vireso]

I am not sure which chat you are talking about exactly. We are still evaluating where to bundle internal communication.

With regard to this issue: the current idea is to provide official npm packages under the bats scope to prevent a vacuum that can be filled by nefarious actors.