IMPORTANT. PLEASE READ: ua-parser-js exploit and Kotlin/JS. https://blog.jetbrains.com/kotlin/2021/10/important-ua-parser-js-exploit-and-kotlin-js/

When searching for installed versions of

ua-parser-js

on Linux, the

grep

command mentioned gave me no results. I had more success with this command line (with

{x}

being replaced by the start directories to search):

find {x} -mount -iname \*ua-parser-js\* -exec grep -H -i version '{}/package.js' \;

Hmm. I tested this multiple times and it seemed to work for me….

Did some research. The only

package.json

with a match was one in a npm repository under

~/npm

. The format differed in that there was no space between the

"_id":

and

"ua-parser-js

. So the following grep variant would fix that and should find both versions:

grep -r --include=package.json '"_id": *"ua-parser-js' {x}

The

package.js

files were all in

build/js/node_modules

directories of several Kotlin multiplatform projects. Each of them had a

package.json

at its side, but with a different format (multi-line instead of single line, and the

"_id"

key was missing). This command line would find them all via their

package.json

manifest files, regardless of format, and print out the respective version:

grep -E -r -l --include=package.json '"(_id|name)": *"ua-parser-js' {x} | xargs grep -E -m 1 -o '"version": *"[0-9][^"]*"'

Hm. That’s not finding all instances on my machine…

Possibly indicates need for channel "security-announcements" - as I'd much rather pay attention to a compromise announcement than a mascot competition.

@hhariri That seems strange. I suppose you have replaced the

{x}

as usual, even though it appears in the middle of the command line. An easier invocation would be this one (which also prints the path correctly if only a single file is found):

start_dir={x}; grep -E -r -l --include=package.json '"(_id|name)": *"ua-parser-js' "$start_dir" | xargs grep -EH -m 1 -o '"version": *"[0-9][^"]*"'

Example 1 (npm repo):

$ start_dir=.npm; grep -E -r -l --include=package.json '"(_id|name)": *"ua-parser-js' "$start_dir" | xargs grep -EH -m 1 -o '"version": *"[0-9][^"]*"'
.npm/ua-parser-js/0.7.24/package/package.json:"version":"0.7.24"

Example 2 (Kotlin projects):

$ start_dir=Repositories/experimental.nobackup; grep -E -r -l --include=package.json '"(_id|name)": *"ua-parser-js' "$start_dir" | xargs grep -EH -m 1 -o '"version": *"[0-9][^"]*"'
Repositories/experimental.nobackup/kotlinx.html/build/js/node_modules/ua-parser-js/package.json:"version": "0.7.21"
Repositories/experimental.nobackup/Issues/kotlin-coroutines-cancellation/build/js/node_modules/ua-parser-js/package.json:"version": "0.7.28"
Repositories/experimental.nobackup/Issues/KT-46340-repro/test/build/js/node_modules/ua-parser-js/package.json:"version": "0.7.28"
Repositories/experimental.nobackup/markdown-editor-mono/build/js/node_modules/ua-parser-js/package.json:"version": "0.7.28"
Repositories/experimental.nobackup/PeopleInSpace/build/js/node_modules/ua-parser-js/package.json:"version": "0.7.28"
Repositories/experimental.nobackup/kotlin-multiplatform-test-gutters/build/js/node_modules/ua-parser-js/package.json:"version": "0.7.28"

As the version mentioned in the blog post does not find the files in Kotlin projects, maybe it's worth to check again for completeness.