for npmmirror.com user

cnpm/cnpmcore#817

reply from npmmirror maintainer

昨天我们临时手动在 npmmirror 上手动发布了对应版本，由于是二次发布会导致 hash 不一致。今天上午 10:43 分 我们对 stylus 重新同步，删除了昨天的临时版本。 重新生成一下 lock 文件看看是否恢复？🙏

The stylus package is accessible on npm again

Received a reply from GitHub official

Hello,
 
Thanks for taking the time to let us know. It appears a maintainer associated with the stylus package published a malicious package which resulted in the account being suspended and associated packages being removed.
 
Our engineers are currently working on restoring stylus, we will update you when this has been completed.
 
Please let us know if we can help in any other way.
 
Regards, 
GitHub Trust & Safety

Some personal thoughts: if your company has been affected by Stylus, you need to reevaluate the relationship between npmjs and npm mirror and design a more reliable development process.

Some conclusions

• 1. Stylus does not contain malicious code; this has been confirmed. npmmirror.com (a non-profit mirror sponsored by Alibaba) has resumed access.
• 2. It is unclear whether this is a coincidence, but a tool called Stylus Tools component has been reported to have a CVE.
• 3. Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code.
• 4. We are awaiting official action from npmjs. Yes, we are waiting for them to handle it.
• 5. A workaround has been provided in the comments. Please apply it as needed.

thanks for github advisory report , @Banegasn

github/advisory-database#5846

workaround for everyone with any package manager

big thanks to @DulanWirajith

Let's wait for the official response from npmjs. There's nothing I can do right now. I feel very uncomfortable.

It's okay, @iChenLei. I appreciate your prompt response. Let's wait for a response from npmjs.

In the meantime, we can use the following hacks as a temporary solution. You can reference the package directly in your package.json:

This guide provides temporary solutions for referencing the stylus package directly from its GitHub repository (stylus/stylus) in your package.json file for npm, Yarn, and pnpm. These methods allow you to specify a branch, tag, or commit hash for the package.

For npm

Option 1: Reference in Dependencies

You can reference the stylus package dynamically by specifying a branch, tag, or commit hash in the dependencies section of package.json.

{
  "dependencies": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Example with Specific Version (e.g., 0.54.4):

{
  "dependencies": {
    "stylus": "github:stylus/stylus#0.54.4"
  }
}

Option 2: Use Overrides

You can override the stylus package version used by other dependencies by specifying it in the overrides section (supported in npm v8.3.0 and later).

{
  "overrides": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Example with Specific Version (e.g., 0.54.4):

{
  "overrides": {
    "stylus": "github:stylus/stylus#0.54.4"
  }
}

Note: Ensure the specified tag, branch, or commit (e.g., 0.54.4) exists in the stylus/stylus repository. Clear the npm cache (npm cache clean --force) if you encounter issues with outdated dependencies.

For Yarn

Option 1: Reference in Dependencies

Yarn (both Classic and Berry) supports referencing GitHub repositories in the dependencies section using the same github:username/repo#branch-or-tag syntax.

{
  "dependencies": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Example with Specific Version (e.g., 0.54.4):

{
  "dependencies": {
    "stylus": "github:stylus/stylus#0.54.4"
  }
}

Option 2: Use Resolutions (Yarn Classic) or Overrides (Yarn Berry)

• Yarn Classic (v1): Use the resolutions field to override the version of stylus used by dependencies.

{
  "resolutions": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

• Yarn Berry (v2+): Supports both resolutions and overrides. The overrides field works similarly to npm.

{
  "overrides": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Example with Specific Version (e.g., 0.54.4):

{
  "resolutions": {
    "stylus": "github:stylus/stylus#0.54.4"
  }
}

Note: Clear the Yarn cache (yarn cache clean) if you encounter issues. Ensure the specified tag, branch, or commit exists in the repository.

For pnpm

Option 1: Reference in Dependencies

pnpm supports referencing GitHub repositories in the dependencies section using the github:username/repo#branch-or-tag syntax.

{
  "dependencies": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Example with Specific Version (e.g., 0.54.4):

{
  "dependencies": {
    "stylus": "github:stylus/stylus#0.54.4"
  }
}

Option 2: Use Overrides

pnpm supports the overrides field in package.json to override package versions.

{
  "overrides": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Example with Specific Version (e.g., 0.54.4):

{
  "overrides": {
    "stylus": "github:stylus/stylus#0.54.4"
  }
}

Note: pnpm uses a content-addressable store, so you may need to clear the store (pnpm store prune) or use --force when installing if the repository content changes. Ensure the specified tag, branch, or commit exists.

General Notes

• Version Specification: Replace version-you-need with a valid branch, tag, or commit hash (e.g., 0.54.4, main, or a commit like a1b2c3d). Verify that the tag/branch/commit exists in the stylus/stylus repository.
• Caching: Each package manager caches GitHub dependencies differently. Clear caches (npm: npm cache clean --force, Yarn: yarn cache clean, pnpm: pnpm store prune) if you encounter issues.
• Performance: Referencing GitHub repositories may be slower than using packages from the npm registry, as it involves cloning the repository.
• Security: Ensure the repository and specified commit are trusted, as you’re pulling code directly from GitHub.

current status

I have been doing my best to deal with this issue. If you are able to contact an official employee of npmjs directly, please help us resolve this issue. Thank you.

https://nvd.nist.gov/vuln/detail/CVE-2025-6044 Based on the description of this CVE, I believe it is unrelated to the Stylus library.

please help me retweet https://x.com/chenleidev/status/1947878300086624601

misleading info Perhaps the stylus chrome extension or some same named software has influenced us, and you know, it's not a good thing for software to have the same name.

I suspect that npmjs officially mislabeled the stylus library, preventing developers from downloading stylus. I apologize for this.

!!!! Does anyone know anyone who works at npmjs? Can I contact them directly? It's clear that submitting a ticket to deal with this issue will take a very long time. we need help