A quick workaround if you're affected by a deep dependency and don't rely on stylus directly - add `"overrides": {"stylus": "0.0.1-security"}` to your package.json
Work around the issue by installing directly from GitHub using package.json overrides:
```
"overrides": {
"stylus": "github:stylus/stylus#0.64.0"
}
```
From how is unfolding the most probable outcome is that one of the maintainer is compromised ( Ponya ), all of the packages he contributed to have been marked
The title is wrong. There's no proof of compromise. There are no releases of the package since October. Apparently one of the long-time maintainers has pushed other compromised packages, so npm just nuked all the packages he had access to, whether they were compromised or not.
My staging build was failing and I saw that stylus was the culprit. Running `npm why stylus`, `npm ls --all stylus`, and other variants of these two commands consistently returned nothing, but I can see it in my lockfile if I run `grep -R stylus package-lock.json`.
Even running `npm audit | grep stylus` returned nothing! Which I think is pretty crazy considering the package itself has been overwritten by NPM to include a 0 context scary "Security holding package" thing. Surely this sort of thing should show up in the `audit` results?
I have to say NPM packaging is terrible. I probably spend 1 month of the year fiddling with upgrading packages due to security issues. That is just the amount of time I spend on my repos alone. All of this extra effort to avoid code signing and making package owners accountable.
It seems like every week there is a new security high sev ticket to fix some webpack dependency.
Not to mention that even if you do successfully run “npm audit fix” (—force), Npm may not update to the correct new version and will often downgrade packages many many many versions.
The error messages that Npm spits out have always frightened junior devs too.
I can’t wait for that whole ecosystem to be replaced.
14 comments
[ 3.2 ms ] story [ 49.1 ms ] threadMaintainer @iChenLei reports they are negotiating with npm officials to restore access: https://github.com/stylus/stylus/issues/2938
https://github.com/advisories/GHSA-fh4q-jc76-r59p
I'm still unsure if it's a mistake on NPM side or if stylus and the authors are compromised
My staging build was failing and I saw that stylus was the culprit. Running `npm why stylus`, `npm ls --all stylus`, and other variants of these two commands consistently returned nothing, but I can see it in my lockfile if I run `grep -R stylus package-lock.json`.
Even running `npm audit | grep stylus` returned nothing! Which I think is pretty crazy considering the package itself has been overwritten by NPM to include a 0 context scary "Security holding package" thing. Surely this sort of thing should show up in the `audit` results?
Add this on your package.json on the end of file bevor last }:
Looks suspicious if you ask me. Maybe somebody hacked the github advisory db?
https://github.com/advisories?page=1&query=type%3Amalware
It seems like every week there is a new security high sev ticket to fix some webpack dependency.
Not to mention that even if you do successfully run “npm audit fix” (—force), Npm may not update to the correct new version and will often downgrade packages many many many versions.
The error messages that Npm spits out have always frightened junior devs too.
I can’t wait for that whole ecosystem to be replaced.
This has been reflected in a recent edit and comments here: https://github.com/stylus/stylus/issues/2938
No updates to the security advisory at this time: https://web.archive.org/web/20250723155624/https://github.co...