Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
James Ward
@jamesward
omg. so crazy.
actually i'm surprised this never happened on maven central. which it totally could have
and maven central doesn't actually have a way to do 2FA
nafg
@nafg
maybe because of PGP?
James Ward
@jamesward
you can sign artifacts with any key so no real protection there
nafg
@nafg
Well maven doesn't run arbitrary scripts on "install"
And almost no one uses version ranges
James Ward
@jamesward
true. but once something is loaded into a classloader, i think you can exec code
nafg
@nafg
or you could just have malicious code on a normal codepath
James Ward
@jamesward
yup. the non-version range culture definitely helps avoid this
nafg
@nafg
Also, even if there was (or is) a bad artifact, maven artifacts don't have such huge dependency chains like on npm (think left-pad)
So even if there was a bad artifact, how many people would it effect without knowing it
James Ward
@jamesward
true
oh, i wonder if that bad version was webjar'd...
nope. good :)
nafg
@nafg
Also could be a lot of JS devs are less professional, and a lot of micro-libs made by individuals, largely because there are so many JS devs, so even if percentage of community is the same, higher odds of someone being hacked
I still don't know how the credentials were initially stolen

https://www.bleepingcomputer.com/news/security/compromised-javascript-package-caught-stealing-npm-credentials/:

This is the third incident in the past year when a hacker has inserted malicious code in an npm package.
[...]
Similar incidents with malware ending up in package repositories have happened with Python's PyPI [1, 2], Docker Hub, Arch Linux AUR, and the Ubuntu Store.

So not just npm...
nafg
@nafg
https://news.ycombinator.com/item?id=15256121 suggests that maven's advantage is that first submissions are manually reviewed, FWIW
elyphas
@elyphas

@nafg ; hi, sorry,
I tried this:

dependencyOverrides in ThisBuild += "org.webjars.npm" % "js-tokens" % "3.0.2"

in my build.sbt
but I get a lot of errors of

LinkingException: There were linking errors
No source available, here is the exception stack trace:
->org.scalajs.core.tools.linker.LinkingException: There were linking errors
  org.scalajs.core.tools.linker.frontend.BaseLinker.linkInternal(BaseLinker.scala:160)
    org.scalajs.core.tools.linker.frontend.BaseLinker.linkInternal(BaseLinker.scala:108)
    org.scalajs.core.tools.linker.frontend.LinkerFrontend.$anonfun$link$3(LinkerFrontend.scala:63)
     org.scalajs.core.tools.logging.Logger.time(Logger.scala:28)
     org.scalajs.core.tools.logging.Logger.time$(Logger.scala:26)
     org.scalajs.sbtplugin.Loggers$SbtLoggerWrapper.time(Loggers.scala:7)
    org.scalajs.core.tools.linker.frontend.LinkerFrontend.link(LinkerFrontend.scala:62)
     org.scalajs.core.tools.linker.Linker.$anonfun$link$1(Linker.scala:52)
    scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
     org.scalajs.core.tools.linker.Linker.guard(Linker.scala:69)
     org.scalajs.core.tools.linker.Linker.link(Linker.scala:50)
    org.scalajs.core.tools.linker.ClearableLinker.$anonfun$link$1(ClearableLinker.scala:52)
    org.scalajs.core.tools.linker.ClearableLinker.$anonfun$link$1$adapted(ClearableLinker.scala:52)
  org.scalajs.core.tools.linker.ClearableLinker.linkerOp(ClearableLinker.scala:63)

could tell me what is wrong?

nafg
@nafg
@elyphas one has nothing to do with the other. Try doing a clean build anyway
It means that something is on the JVM classpath so it compiled but doesn't have sjsir for it. Check for a scalajs dependency using %% instead of %%%. Otherwise ask in the scalajs gitter room
elyphas
@elyphas
@nafg ; thank you
Raúl Piaggio
@rpiaggio
@jamesward and @nafg thank you for your answers. Actually, thanks to this issue I realized I was pulling in a lot of unnecessary transitive depedencies, since I'm using web jars only to import CSS files (I use a separate browserify build to build JS dependencies). however, I can't find an easy way to exclude all transitive dependencies in sbt 0.13. exclude ("*", "") doesn't seem to work in 0.13, and excludeAll(ExclusionRule()) seems to exclude the whole dependency (instead of just the transitive ones). is there a way of achieveing this in a "wildcardy" way in 0.13?
nafg
@nafg
@rpiaggio I think there's .intransitive or something like that
Raúl Piaggio
@rpiaggio
oh yes, can't believe I missed that, let me try it; thank you!
James Ward
@jamesward
Thanks @nafg!
Raúl Piaggio
@rpiaggio
worked like a charm
Daan Hoogenboezem
@daanhoogenboezem
does someone know if 3.0 versions of polymer components are available anywhere in webjar format?
James Ward
@jamesward
@daanhoogenboezem We've been discussing that but it looks like there might be some issues: webjars/webjars#1809
Namely that the architecture for Polymer 3 seems to require something like webpack.
Daan Hoogenboezem
@daanhoogenboezem
thanks for the link, will have a read
Kirill Bulatov
@SomeoneToIgnore
Hey @jamesward , could you tell more about bowergithub archive contents change?
I see that a new @webcomponents directory had appeared inside of an archive:
Screen Shot 2018-09-24 at 17.59.37.png
Ah, ok, there's an issue already, sorry: webjars/webjars#1786
Connor Fitzgerald
@cwfitzgerald
How long after the add webjar process does it take for it to show up in the search index?
James Ward
@jamesward
a couple hours. let me know if not
Thomas Segismont
@tsegismont
Hi everyone. I work for Red Hat and I'm a Vert.x core team member. We had questions about using webjars with Vert.x so I sent a PR in the documentation.
Let me know if you need anything else (create issue first... ect)
James Ward
@jamesward
Awesome! Thanks @tsegismont.
Thomas Segismont
@tsegismont
You're welcome :)
James Ward
@jamesward
Should be live in ~10 minutes
Thomas Segismont
@tsegismont
:thumbsup:
Giovanni Lovato
@heruan
Hello! I’m trying to post a new webjar version, but I get an error about the version not available:
curl -X POST https://www.webjars.org/deploy\?webJarType=BowerGitHub\&nameOrUrlish=https://github.com/heruan/vaadin-lumo-styles\&version=v1.4.2-axians1
{"code":"ENORESTARGET","details":"Available versions in git://github.com/heruan/vaadin-lumo-styles.git: 1.0.0-beta3, 1.0.0-beta2, 1.0.0-beta1, 1.0.0-alpha3, 1.0.0-alpha2, 1.0.0-alpha1","data":{"endpoint":{"name":"","source":"git://github.com/heruan/vaadin-lumo-styles","target":"v1.4.2-axians1"},"resolver":{"name":"vaadin-lumo-styles","source":"git://github.com/heruan/vaadin-lumo-styles.git","target":"v1.4.2-axians1"}}}
Is there a version cache? How can I force to check new versions?
Giovanni Lovato
@heruan
Okay, now I see the versions. It took about 15m since pushing the tags!
Are the JARs deployed only to Maven Central? Any way the get them faster elsewhere or install locally?