Hi, I received this mail from Github :
Should I be concerned or is it a false alert ?
Cheers.
1 Like
Me too, but I got like 10 of these warnings in 2 repositories.
Yeah this is a problem even if it is a false positive. The description alone makes it imperative that Unity acts on it.
However this is totally the wrong forum for such a post as its unlikely that anyone from Unity would see it. Thankfully the issue has already been posted to the Package Manager sub-forum here . This time it was related to Mathematics package, but a Unity developer has already replied saying its been flaggeed to the team so hopefully we will see some action quickly.
It is concerning though, especially if this is not a false positive as the fact that multiple packages are being flagged suggests some shared code is at fault. Either that or someone has managed to false flag Unity packages in general as being a problem. Regardless hopefully we’ll get some meaningful response from Unity and they wont sweep it under the carpet like the recent Unity Hub fiasco.
Here is what I think happened:
Some jackass created a virus with this package name and uploaded it to NPMJS. Dependabot doesn’t know about Unity or UPM yet, so it thinks your package.json file uses the NPM format. It thinks you were using the package from NPMJS registry, which was malware; while you were using the package from Unity’s UPM registry, which is not malware.
There is a feature request on Github to make Dependabot support Unity and UPM: Support Unity UPM packages · Issue #4589 · dependabot/dependabot-core · GitHub
2 Likes
It doesn’t impact me so I didn’t look any further, and can’t find the link again, but I read a little about this yesterday.
From memory, this is a false positive based on a library included by the Unity package. A different library elsewhere with the same name has been flagged as malware, and dependabot is flagging all projects which include a library with a matching name.