chore(security): pin @asyncapi/specs to 6.11.1 (Miasma RAT supply-chain compromise)#2640
Conversation
@asyncapi/specs@6.11.2 was published on 2026-07-14 with obfuscated malware (Miasma RAT) via compromised AsyncAPI CI workflows. It is pulled in transitively here via @stoplight/spectral-cli -> @stoplight/spectral-rulesets -> @asyncapi/specs@^6.8.0. The lockfile currently resolves the safe 6.11.1, but the ^6.8.0 range allows a fresh resolve to pick up the compromised 6.11.2. Pin it to 6.11.1 via a root resolutions entry (resolved version and checksum unchanged).
|
|
@gyancr7 is attempting to deploy a commit to the HyperDX Team on Vercel. A member of the Team first needs to authorize it. |
Greptile SummaryThis PR pins a transitive AsyncAPI package to a known-safe release. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (1): Last reviewed commit: "chore(security): pin @asyncapi/specs to ..." | Re-trigger Greptile |
Deep Review✅ No critical issues found. This is a correct, minimal, and effective supply-chain pin. The core risk — that re-keying the lockfile descriptor from Verified during review:
🔵 P3 nitpicks (2)
Reviewers (4): correctness, security, project-standards, maintainability. Testing gaps: None applicable to a dependency-manifest pin. Verification note: confirm CI runs |
|
The latest updates on your projects. Learn more about Vercel for GitHub. 2 Skipped Deployments
|
Fixes #2641
Why
On 2026-07-14, several AsyncAPI npm packages were compromised via malicious commits and CI/CD publication.
@asyncapi/specs@6.11.2was published with obfuscated malware (Miasma RAT — a credential stealer targeting browsers, SSH keys, npm tokens, and crypto wallets).@asyncapi/specshas ~2.7M weekly downloads.Reference: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
This repo pulls in
@asyncapi/specstransitively (it is not a direct dependency):The committed
yarn.lockcurrently resolves the safe6.11.1, so existing installs are fine. However, the declared range^6.8.0means any fresh resolve / lockfile regeneration could silently pull the compromised6.11.2.What
"@asyncapi/specs": "6.11.1"to the rootresolutionsblock.yarn installupdated the lockfile descriptor from^6.8.0to a pinned6.11.1. The resolved version and checksum are unchanged — same known-safe artifact, just made explicit and immutable.Scope
Minimal:
package.json(+1 resolution) andyarn.lock(descriptor key only). No source or runtime behavior change; I did not add a changeset since this only affects dev-tooling dependency resolution — happy to add one if preferred.