Skip to content

Release v0.15.6-beta

Latest
Latest

Choose a tag to compare

View all tags
@saubyk saubyk released this 10 Sep 03:32
· 8 commits to master since this release
v0.15.6
This tag was signed with the committer’s verified signature. The key has expired.
saubyk Suheb
GPG key ID: 00C9E2BC2E45666F
Expired
Verified
Learn about vigilant mode.
7340cb3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What’s new

We’ve added a fix to protect against a recent npm supply-chain attack where malicious code was found in popular packages.
(Details: link)

Why it matters

  • Our app doesn’t directly use the bad packages.
  • They could still sneak in through indirect dependencies.
  • Even though our current package-lock.json was safe, a fresh npm install could have pulled in a hacked version.

What we did

  • Forced npm to always use safe, audited versions of the risky packages.
  • Ignored any vulnerable versions that might be requested by other dependencies.

What you need to do

Run a clean install on the new release with npm ci --omit=dev --legacy-peer-deps.

PGP Key: https://keybase.io/suheb
Retrieve the source code repository, check for the latest release and verify the code signature

$ git clone https://github.com/Ride-The-Lightning/RTL.git
$ cd RTL

$ git checkout v0.15.6

$ git verify-tag v0.15.6
gpg: Signature made Tue Sep  9 20:04:18 2025 PDT
gpg:                using RSA key 3E9BD4436C288039CA827A9200C9E2BC2E45666F
gpg: Good signature from "saubyk (added uid) <[email protected]>" [ultimate]
gpg:                 aka "Suheb <[email protected]>" [ultimate]

Install RTL via npm

npm ci --omit=dev --legacy-peer-deps

Docker images available at https://hub.docker.com/r/shahanafarooqui/rtl/tags

Assets 4
Loading