Skip to content

fix: Delete package-lock.json to eliminate malicious fsevents (MAL-2023-462)#27

Open
razorgupta wants to merge 1 commit into
mainfrom
fix/remove-malicious-fsevents-mal-2023-462
Open

fix: Delete package-lock.json to eliminate malicious fsevents (MAL-2023-462)#27
razorgupta wants to merge 1 commit into
mainfrom
fix/remove-malicious-fsevents-mal-2023-462

Conversation

@razorgupta
Copy link
Copy Markdown

@razorgupta razorgupta commented Jun 2, 2026

Summary

  • Delete package-lock.json to eliminate malicious fsevents dependency (MAL-2023-462)
  • The lock file was the only thing pinning fsevents to a malicious version that has been removed from npm

Why delete the lock file?

  • fsevents is a transitive dependency (via webpack/chokidar), not direct
  • Malicious versions have been unpublished from npm
  • Fresh npm install will generate a clean lock file with safe versions

Impact

  • No production service runs this dependency
  • No CI/CD workflow will break

@razorgupta
fix: Delete package-lock.json to eliminate malicious fsevents (MAL-20…
65b40f5 
…23-462)

The lock file pins fsevents to a malicious version that has been
removed from the npm registry. Deleting the lock file ensures a
fresh npm install will resolve only safe versions.
fsevents is a transitive optional dependency (via webpack/chokidar)
that was never directly required.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@razorgupta