Andrew Udvare audvare at
Sun Feb 21 22:08:07 UTC 2021

On 21/02/2021 16:43, Rene Engelhard wrote:
> And LibreOffice Online *does* use npm.
> So while LibreOffice itself shouldn't be affected, conceptually by using
> npm LibreOffce Online is.

I think if you use 'npm install' (or 'yarn install'), the manager should 
be pulling in the correct version and then hash checking based on the 
contents of the .lock file. Running `npm update`, `npm install <new 
package>` or similar may be affected.

The real issue is when a new dependency gets added or updated but 
everything seems normal, in that the replacement dependency has stubs to 
not make the code crash, but also does nefarious things in the 
background. There would be no way to know without deep inspection, and 
npm dependency trees are usually huge.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the LibreOffice mailing list