告诉 HN:搜索你的项目,查找 "git://github.com"。任何匹配都意味着一个漏洞。
1 分•作者: XCabbage•9 个月前
如今许多开源项目都包含(通常在文档、代码注释或元数据中)类似这样的仓库 URL:
```
git://github.com/debug-js/debug.git
```
这些 URL 已经失效。“git://” 确实是一个真实的协议,但在 2022 年,GitHub 停止了对其的支持 [1],因此任何声称使用该协议访问 GitHub 仓库的 URL 都会失效。
它们仍然很常见。在下载量排名前 200 的 npm 包中,有 25 个在其 package.json 文件的“repository”字段中包含此类 URL。
如果能修复这些失效的 URL 就好了(只需将“git://”替换为“https://”即可轻松完成)。对于不了解 git 协议或 GitHub 禁用该协议的读者来说,这些 URL 很容易造成困惑。
[1] https://github.blog/security/application-security/improving-git-protocol-security-github/#no-more-unauthenticated-git
查看原文
Lots of open-source projects today contain (usually in docs, code comments, or metadata) repo URLs like this:<p><pre><code> git://github.com/debug-js/debug.git
</code></pre>
These URLs are broken. "git://" <i>is</i> a real protocol, but in 2022 GitHub stopped supporting it [1] so any URLs that purport to use the protocol for a GitHub repo are broken.<p>They are still quite common. 25 of the top 200 most-downloaded npm packages have such a URL in the "repository" field of their package.json file.<p>It would be nice if the world would fix these dead URLs (which is easily done by replacing "git://" with "https://"). They are confusing to readers who don't know about the git protocol or GitHub disabling it.<p>[1] https://github.blog/security/application-security/improving-git-protocol-security-github/#no-more-unauthenticated-git