Skip to content

feat: add antv-block incident block list for 317 packages#291

Merged
elrrrrrrr merged 1 commit into
cnpm:masterfrom
killagu:feat/antv-block-incident-full
May 19, 2026
Merged

feat: add antv-block incident block list for 317 packages#291
elrrrrrrr merged 1 commit into
cnpm:masterfrom
killagu:feat/antv-block-incident-full

Conversation

@killagu
Copy link
Copy Markdown
Contributor

@killagu killagu commented May 19, 2026

Summary

Adds config["bug-versions"] entries for the antv-block supply-chain incident of 2026-05-19, in which 637 versions across 317 packages were published — each minor/patch-bumped above the package's last stable release, in two batches within ~30 minutes.

Every blocked version redirects to the last clean release:

  • normally the package's dist-tag latest (npm kept that tag intact for all but one package);
  • where latest itself was compromised — only uri-parse, whose latest pointed at the malicious 1.2.0 — the newest clean stable version is used instead (uri-parse1.0.0).

Stats

  • 317 packages / 637 versions added
  • diff: package.json only, +3182 lines, no deletions
  • node --test passes

Excluded — needs manual review

  • @antv/g6-lite — its only published version (0.1.0-beta.1) is itself the suspect one, so there is no clean version to redirect to. Left out of this PR; should be handled via package takedown instead.

Relation to #290

This supersedes #290, which covered 269 of the 318 source packages and omitted 49 — including uri-parse, whose naive "default to latest" target would have pointed straight back at the malicious version.

🤖 Generated with Claude Code

@killagu @claude
feat: add antv-block incident block list for 317 packages
03d04ef 
Block 637 versions across 317 packages published in the antv-block
supply-chain incident on 2026-05-19. Each blocked version redirects to
the last clean release: the dist-tag `latest`, or the newest clean
stable version when `latest` itself was compromised (e.g. uri-parse,
whose `latest` tag pointed at the malicious 1.2.0).

@antv/g6-lite is intentionally excluded: its only published version is
the suspect one, so there is no clean version to redirect to.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 19, 2026 05:25
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented May 19, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 19, 2026

Important

Review skipped

Review was skipped as selected files did not have any reviewable changes.

💤 Files selected but had no reviewable changes (1)
  • package.json
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ba1552fd-05df-4564-9b82-35f99d622de6

📥 Commits

Reviewing files that changed from the base of the PR and between a79e821 and 03d04ef.

📒 Files selected for processing (1)
  • package.json

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@elrrrrrrr elrrrrrrr enabled auto-merge May 19, 2026 05:50
@elrrrrrrr elrrrrrrr disabled auto-merge May 19, 2026 05:57
@elrrrrrrr elrrrrrrr merged commit 42d56d3 into cnpm:master May 19, 2026
10 checks passed
@killagu killagu deleted the feat/antv-block-incident-full branch May 19, 2026 05:57
fengmk2 pushed a commit that referenced this pull request May 19, 2026
@semantic-release-bot
Release 1.121.0
d93a77b 
[skip ci]

## 1.121.0 (2026-05-19)

* feat: add antv-block incident block list for 317 packages (#291) ([42d56d3](42d56d3)), closes [#291](#291) [#290](#290) [#290](#290)
* chore: add PR title check workflow (#288) ([a79e821](a79e821)), closes [#288](#288)
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026

🎉 This PR is included in version 1.121.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@elrrrrrrr elrrrrrrr mentioned this pull request May 19, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@afc163 afc163 afc163 approved these changes

@elrrrrrrr elrrrrrrr elrrrrrrr approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@killagu @afc163 @elrrrrrrr