Recently announced npm supply chain attack does not impact DSpace 7.x-9.x

[DSpace Technical Support]

Hello all,

As you may have seen in security news announcements/websites, there was a widespread npm supply chain attack that occurred yesterday which impacted 20+ widely used npm packages.

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html

At this time, DSpace 7.x - 9.x are unaffected by these compromised npm packages. While some of the impacted npm packages are used by DSpace, no DSpace release uses any of the compromised versions of those packages. We also pin the version of all installed npm packages in our lock file (yarn.lock for 7.x-8.x or package-lock.json for 9.x) to ensure an unexpected package update doesn't occur. That said, we will continue to monitor the situation in case additional compromised packages are announced.

If your DSpace site  has installed additional or custom npm packages, we highly recommend checking your "node_modules" directory and/or lock file (yarn.lock for 7.x-8.x or package-lock.json for 9.x) to verify you are not using any of the compromised versions of these npm packages.

If you have any questions, please let us know. If you'd like to discuss any security concerns privately, you may also contact the Committers via the email address security [at] dspace.org

Tim Donohue (on behalf of the DSpace Committers)

Technical Lead, DSpace