Notice from Rspack team

Rspack have encountered an attack, @rspack/core and @rspack/cli 1.1.7 are vulnerable versions released by the attacker, and contain malicious scripts.

Rspack team have taken countermeasures:

• Deprecated 1.1.7 and pointed the latest dist-tag to 1.1.6
• Invalidated all existing npm tokens and GitHub tokens
• Checked the permissions of the repository and npm packages
• Checked for potential vulnerabilities

The Rspack v1.1.8 has been released by Rspack team. This version is a re-release of v1.1.6 to prevent the attacked version from being installed wrongly. You can use either of them.

Rspack team will elaborate on the entire process in detail later.

The original issue

System Info

System:
OS: Windows 10 10.0.19045
CPU: (8) x64 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz
Memory: 1.70 GB / 15.73 GB
Binaries:
Node: 20.10.0 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.22 - ~\AppData\Local\pnpm\yarn.CMD
npm: 10.2.3 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Chromium (127.0.2651.74)
Internet Explorer: 11.0.19041.4355
npmPackages:
@rspack/cli: ^1.1.6 => 1.1.7
@rspack/core: ^1.1.6 => 1.1.7

Details

Reproduce link

No response

Reproduce Steps

run rspack build