Skip to content

chore: pin eslint-config-prettier and eslint-plugin-prettier versions to prevent malicious package installation #2239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 20, 2025
Merged

chore: pin eslint-config-prettier and eslint-plugin-prettier versions to prevent malicious package installation #2239

merged 3 commits into from
Jul 20, 2025
+4 −4

Conversation

tusharpandey13
Copy link
Contributor

@tusharpandey13 tusharpandey13 commented Jul 20, 2025
edited
Loading

Pin eslint-config-prettier and eslint-plugin-prettier to exact versions to protect against the recent npm phishing attack that compromised these packages. The caret range ^10.0.1 could have installed malicious versions 10.1.6 and 10.1.7.

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

🔍 RCA

A phishing campaign compromised npm maintainer credentials, leading to malicious versions of eslint-config-prettier (10.1.6, 10.1.7) and eslint-plugin-prettier (4.2.2, 4.2.3) being published. Our semver range ^10.0.1 was vulnerable to installing the malicious 10.1.6 and 10.1.7 versions.

📋 Changes

Pin exact versions of potentially vulnerable packages to prevent automatic installation of compromised versions through semver ranges.

  • Changed package.json: pinned eslint-config-prettier from ^10.0.1 to 10.1.5 and eslint-plugin-prettier from ^5.2.3 to 5.5.1
  • Changed package-lock.json: removed version ranges.

📎 References

https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise

🎯 Testing

Automated:
No new tests required - this is a dependency version change with no functional impact.

Manual:

  1. Run pnpm install to verify no version conflicts
  2. Run pnpm run lint to confirm ESLint configuration still works
  3. Verify the pinned versions match the existing pnpm-lock.yaml entries

@tusharpandey13 tusharpandey13 requested a review from a team as a code owner July 20, 2025 17:57
@tusharpandey13 tusharpandey13 changed the title chore: Update prettier dependencies chore: pin eslint-config-prettier and eslint-plugin-prettier versions to prevent malicious package installation Jul 20, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jul 20, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.40%. Comparing base (35257e4) to head (2b08701).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2239   +/-   ##
=======================================
  Coverage   84.40%   84.40%           
=======================================
  Files          26       26           
  Lines        2379     2379           
  Branches      442      442           
=======================================
  Hits         2008     2008           
  Misses        365      365           
  Partials        6        6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tusharpandey13 tusharpandey13 enabled auto-merge (squash) July 20, 2025 18:30
developerkunal
developerkunal approved these changes Jul 20, 2025
View reviewed changes
Copy link

@developerkunal developerkunal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tusharpandey13 tusharpandey13 merged commit 533c4b7 into main Jul 20, 2025
12 checks passed
@tusharpandey13 tusharpandey13 deleted the security/prettier-phishing-fix branch July 20, 2025 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@developerkunal developerkunal developerkunal approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tusharpandey13 @codecov-commenter @developerkunal