@@ -138,11 +138,11 @@ jobs:
138138 uses : salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main
139139 - name : Vulnerability check
140140 if : inputs.vulnerabilityCheck
141- # Temporary check for known vulnerable packages from the following supply chain attack:
142- # https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack
143- # Last updated 10:33 a.m. ET on September 9, 2025
141+ # Temporary check for known vulnerable packages from the following supply chain attacks:
144142 run : |
145143 vulns=(
144+ # https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack
145+ # Last updated 10:33 a.m. ET on September 9, 2025
146146 "@coveops/abi@2.0.1"
147147 "@duckdb/duckdb-wasm@1.29.2"
148148 "@duckdb/node-api@1.3.3"
@@ -171,6 +171,76 @@ jobs:
171171 "supports-color@10.2.1"
172172 "supports-hyperlinks@4.1.1"
173173 "wrap-ansi@9.0.1"
174+ # https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
175+ # Last updated 10:40 a.m. ET on September 16, 2025
176+ "angulartics2@14.1.2"
177+ "@ctrl/deluge@7.2.2"
178+ "@ctrl/golang-template@1.4.3"
179+ "@ctrl/magnet-link@4.0.4"
180+ "@ctrl/ngx-codemirror@7.0.2"
181+ "@ctrl/ngx-csv@6.0.2"
182+ "@ctrl/ngx-emoji-mart@9.2.2"
183+ "@ctrl/ngx-rightclick@4.0.2"
184+ "@ctrl/qbittorrent@9.7.2"
185+ "@ctrl/react-adsense@2.0.2"
186+ "@ctrl/shared-torrent@6.3.2"
187+ "@ctrl/tinycolor@4.1.1"
188+ "@ctrl/tinycolor@4.1.2"
189+ "@ctrl/torrent-file@4.1.2"
190+ "@ctrl/transmission@7.3.1"
191+ "@ctrl/ts-base32@4.0.2"
192+ "encounter-playground@0.0.5"
193+ "json-rules-engine-simplified@0.2.1"
194+ "json-rules-engine-simplified@0.2.4"
195+ "koa2-swagger-ui@5.11.1"
196+ "koa2-swagger-ui@5.11.2"
197+ "@nativescript-community/gesturehandler@2.0.35"
198+ "@nativescript-community/sentry 4.6.43"
199+ "@nativescript-community/text@1.6.13"
200+ "@nativescript-community/ui-collectionview@6.0.6"
201+ "@nativescript-community/ui-drawer@0.1.30"
202+ "@nativescript-community/ui-image@4.5.6"
203+ "@nativescript-community/ui-material-bottomsheet@7.2.72"
204+ "@nativescript-community/ui-material-core@7.2.76"
205+ "@nativescript-community/ui-material-core-tabs@7.2.76"
206+ "ngx-color@10.0.2"
207+ "ngx-toastr@19.0.2"
208+ "ngx-trend@8.0.1"
209+ "react-complaint-image@0.0.35"
210+ "react-jsonschema-form-conditionals@0.3.21"
211+ "react-jsonschema-form-extras@1.0.4"
212+ "rxnt-authentication@0.0.6"
213+ "rxnt-healthchecks-nestjs@1.0.5"
214+ "rxnt-kue@1.0.7"
215+ "swc-plugin-component-annotate@1.9.2"
216+ "ts-gaussian@3.0.6"
217+ # https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
218+ # Last updated 10:40 a.m. ET on September 16, 2025
219+ "@crowdstrike/commitlint@8.1.1"
220+ "@crowdstrike/commitlint@8.1.2"
221+ "@crowdstrike/falcon-shoelace@0.4.2"
222+ "@crowdstrike/foundry-js@0.19.2"
223+ "@crowdstrike/glide-core@0.34.2"
224+ "@crowdstrike/glide-core@0.34.3"
225+ "@crowdstrike/logscale-dashboard@1.205.2"
226+ "@crowdstrike/logscale-file-editor@1.205.2"
227+ "@crowdstrike/logscale-parser-edit@1.205.1"
228+ "@crowdstrike/logscale-parser-edit@1.205.2"
229+ "@crowdstrike/logscale-search@1.205.2"
230+ "@crowdstrike/tailwind-toucan-base@5.0.2"
231+ "browser-webdriver-downloader@3.0.8"
232+ "ember-browser-services@5.0.3"
233+ "ember-headless-form-yup@1.0.1"
234+ "ember-headless-form@1.1.3"
235+ "ember-headless-table@2.1.6"
236+ "ember-url-hash-polyfill@1.0.13"
237+ "ember-velcro@2.2.2"
238+ "eslint-config-crowdstrike-node@4.0.4"
239+ "eslint-config-crowdstrike@11.0.3"
240+ "monorepo-next@13.0.2"
241+ "remark-preset-lint-crowdstrike@4.0.2"
242+ "verror-extra@6.0.1"
243+ "yargs-help-output@5.0.3"
174244 )
175245
176246 for vuln in "${vulns[@]}"; do
0 commit comments