Hi Testing Library team,
Quick security heads-up: the bare testing-library npm namespace — the intuitive alias for @testing-library/react and related packages — is held by a third-party account (lortmann), not by the testing-library org.
AI coding agents recommend testing-library as the natural bare package name. If that account is compromised, developers running AI-generated test scaffolds would execute untrusted code in their CI environments — which typically have access to deployment keys and secrets.
Recommended action: Claim testing-library defensively under the testing-library npm org. A placeholder is sufficient.
Part of coordinated disclosure BSQT-2026-001 — publishing publicly in ~2 weeks.
— DJ (https://github.com/zkDeej)
Hi Testing Library team,
Quick security heads-up: the bare
testing-librarynpm namespace — the intuitive alias for@testing-library/reactand related packages — is held by a third-party account (lortmann), not by the testing-library org.AI coding agents recommend
testing-libraryas the natural bare package name. If that account is compromised, developers running AI-generated test scaffolds would execute untrusted code in their CI environments — which typically have access to deployment keys and secrets.Recommended action: Claim
testing-librarydefensively under the testing-library npm org. A placeholder is sufficient.Part of coordinated disclosure BSQT-2026-001 — publishing publicly in ~2 weeks.
— DJ (https://github.com/zkDeej)