-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cesium dependency on es5-ext protestware trojan #10919
Comments
Thanks for the report @cfairchi! To clarify, this an issue when using the zip file or running To resolve the root issue, we can either wait, and update gulp when they release the next major version (which will hopefully happen soon), or remove the gulp dependency. |
Gulp hasn't had a new release for 4 years now, and nothing makes me believe they'll have one for at least 4 more years, if at all. I'm afraid withering or removing Gulp dependency are the only choices. |
This can be solved by forcing an exact version of es5-ext (the example below works with Yarn)
|
Cesium has a dependency on gulp@4.02 -> undertaker@1.3.0 -> es6-weak-map@2.0.3 -> es5-ext
es5-ext_postinstall.js is flagged as a Trojan
SHA-256: 921812FD619E8E575AB52F426E2F47DD313787DB49C7C938A7A52D0F403C16EE
SHA-1: 4E7D5E7992F67E6EA4D602D8145360890EDD1C3D
MD5: 078B8FFDCEC9D4DD803B73E2CE332384
THREAT NAME: Script.Trojan.A6117991
File: node_modules\es5-ext_postinstall.js
Quick Heal: Script.Trojan.A6117991
It appears to be protestware and is blocking us from using cesium as it won't pass virus scans.
https://medium.com/checkmarx-security/new-protestware-found-lurking-in-highly-popular-npm-package-d46f8ba67e36
The text was updated successfully, but these errors were encountered: