Skip to content

Rename the "arduino-ide-extension" NPM package to be scoped #2396

New issue
New issue
Open
Open
Rename the "arduino-ide-extension" NPM package to be scoped#2396
Labels
topic: infrastructureRelated to project infrastructuretopic: securityRelated to the protection of user datatype: enhancementProposed improvement
@Xayton

Description

@Xayton
Xayton
opened on Mar 8, 2024

Describe the request

The Arduino IDE2 repository package.json file references two sub-packages, using the workspaces functionality. Even if these sub-packages are private, their name can be registered online on npmjs.com and any content can be published in it, including malware. If this happens, NPM or Yarn will report that the Arduino IDE2 project contains malware.

See this reproduction example repo here.

Proposed solution:

  • rename the arduino-ide-extension package (inside this package.json file) to @arduino/arduino-ide-extension making it scoped.
  • update the code to make sure everything works correctly. There is no need to rename the arduino-ide-extension folder.

Notes:

  • Arduino owns the @arduino organization on npmjs.com, so this change should block anybody from publishing again a package containing malware.

Arduino IDE version

2.3.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    topic: infrastructureRelated to project infrastructuretopic: securityRelated to the protection of user datatype: enhancementProposed improvement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions