What’s new
We’ve added a fix to protect against a recent npm supply-chain attack where malicious code was found in popular packages.
(Details: link)
Why it matters
- Our app doesn’t directly use the bad packages.
- They could still sneak in through indirect dependencies.
- Even though our current package-lock.json was safe, a fresh
npm installcould have pulled in a hacked version.
What we did
- Forced npm to always use safe, audited versions of the risky packages.
- Ignored any vulnerable versions that might be requested by other dependencies.
What you need to do
Run a clean install on the new release with npm ci --omit=dev --legacy-peer-deps.
PGP Key: https://keybase.io/suheb
Retrieve the source code repository, check for the latest release and verify the code signature
$ git clone https://github.com/Ride-The-Lightning/RTL.git
$ cd RTL
$ git checkout v0.15.6
$ git verify-tag v0.15.6
gpg: Signature made Tue Sep 9 20:04:18 2025 PDT
gpg: using RSA key 3E9BD4436C288039CA827A9200C9E2BC2E45666F
gpg: Good signature from "saubyk (added uid) <39208279+saubyk@users.noreply.github.com>" [ultimate]
gpg: aka "Suheb <39208279+saubyk@users.noreply.github.com>" [ultimate]
Install RTL via npm
npm ci --omit=dev --legacy-peer-deps
Docker images available at https://hub.docker.com/r/shahanafarooqui/rtl/tags