Many security_advisory.published failing webhook events originating from similar npm packages #4578
Comments
robase
changed the title
|
The npm malware advisories are correlated with malware takedowns performed by the npm team. The idea is to alert anyone who may have downloaded the malware before it got pulled from the npm registry. In that sense they are reviewed and not junk.
That's certainly curious. I'll share that around 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
My github org is currently receiving many webhooks of the
security_advisory.publishedtype. My understanding is that these advisories are general in nature and are not necessarily received due to a specific package being used within an org (please correct me if wrong).The reason I'm raising this is that there appear to be many junk
malwaretype advisories being pushed out through the database:see: https://github.com/advisories?query=type%3Amalware
example advisory: GHSA-hh4g-p2q6-7fvj
These advisories would need to be reviewed before being sent out, is that correct? An interesting note is that these events are also all failing the
X-Hub-Signature-256check for the github app installed in my org receiving the webhook eventsThe text was updated successfully, but these errors were encountered: