Hi All!
I have been trying to find any discussion on this in here and in Slack but I didn’t find anything so far.
Has there been any evaluation of the reported NPM supply chain compromise VU#534320 impact on Open edX platforms?
It would be great to get some advise from frontend experts on this, thanks!
not entirely sure myself, but as far as i can tell searching on the github repos it doesn’t look like any of those listed compromised packages are used in OpenEdX
Disclaimer: not an expert 
@arbrandes could you weigh in?
I created a script that should help us search our repos for specific packages. It will generate a report of exact and partial matches. I included a list of all the packages I could find that were part of this vulnerability. I also included a list of packages I know we are using in order to test that the script is working correctly. Feedback is welcome. I will post the results of the test when it finishes.
Here are the results. If we can find an up-to-date list of vulnerable packages in plain text, maybe we can reference that. I just copied and pasted the list from various websites.
partial_matches.txt (236.8 KB)
exact_matches.txt (254 Bytes)
My team pointed out that some package files are nested, so I added a –recursive flag.
Updated results:
partial_matches.txt (258.0 KB)
exact_matches.txt (254 Bytes)
Thanks @Jesse.Stewart.WGU ! Would it be possible to get an evaluation also for teak.2 which I believe most Open edX operators are running at the moment?
Kind reminder here; any chance we could confirm if the Teak release is impacted?