While creating a client to interact with pub API, I found an endpoint that I believe is exposing some sensitive pub.dev activity information to the public.
I will not list the endpoint here for obvious reasons. I am available through DM on a few channels like Twitter, or Flutter Study Group on slack, if this is not the right forum for this.
The current data exposed displays the following global events:
{
"id": "REDACTED",
"package": null,
"version": null,
"timestamp": "REDACTED",
"source": "account",
"eventType": "memberJoined",
"eventData": {
"publisherId": "REDACTED",
"userId": "REDACTED",
"userEmail": "REDACTED",
"role": "admin",
"timestamp": "REDACTED"
},
"markdown": "REDACTED joined as member in role `admin`."
}
I deployed a fix, before filed https://github.com/dart-lang/pub-dev/pull/4174
This should be fixed now, thanks for the report. For future reference private reports can be made through https://pub.dev/security or [email protected]
@jonasfj Great! Thanks for the fast response! I will make sure I send a communication through proper channels going forward.
Most helpful comment
I deployed a fix, before filed https://github.com/dart-lang/pub-dev/pull/4174
This should be fixed now, thanks for the report. For future reference private reports can be made through https://pub.dev/security or [email protected]