Dear community members,
while restructuring our "Collaborators and Teams" on GitHub recently, we
noticed that some of you have not yet enabled two-factor authentication
(2FA), and that a few accounts are still using authentication methods
considered "insecure" by GitHub.
To strengthen the security of the ILIAS project and protect our shared
development infrastructure, we plan to make 2FA mandatory for all
contributors.
You can find detailed setup instructions here (GitHub Docs):
https://docs.github.com/en/authentication/securing-your-account-with-two-fa…
We will enforce this requirement starting November 17th, 2025.
After this date, we will begin revoking repository access for accounts
that do not have 2FA enabled.
If you have any reasonable objections or concerns about this change,
please reach out to us as early as possible.
In addition, we encourage all contributors to use "Verified Commits"
when pushing code.
- Signed commits help ensure that:
- The code you publish can be cryptographically linked to you as its author.
- The integrity of the commit history cannot be tampered with (e.g., by
impersonation or repository compromise).
Further reading and setup guides:
- How to get the GitHub Verified icon:
https://blog.ediri.io/how-to-get-the-github-verified-icon
- About commit signature verification (GitHub Docs):
https://docs.github.com/en/authentication/managing-commit-signature-verific…
- PHP.net Git hack and the importance of commit signing:
https://php.watch/news/2021/03/git-php-net-hack
Best regards,
Michael
on behalf of the Technical Board
Dear colleagues!
---
TL/DR: Please use `npm clean-install` to install npm-dependencies and be careful when updating packages.
---
A little longer: Please be aware of the current supply-chain-attack on the npm-ecosystem:
* https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-at…
* https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm…
* https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attac…
* https://www.heise.de/news/Neuer-NPM-Grossangriff-Selbst-vermehrende-Malware…
As far as we understand the situation, the attack is ongoing and additional packages might be affected in the course of future events.
On the bright side, we are safe if everyone uses `npm clean-install`, as this will always pull the exact versions that we have pinned in `package-lock.json`. These are (to the best of our knowledge...) not affected. Also, existing versions of npm-Packages won't be replaced with other code (again, to the best of our knowledge). If this is not true and you can indeed identify malicious packages in our npm-dependencies, please don't hesitate to report them to security(a)ilias.de.
On the other hand, every operation that might update pinned packages (be it `npm install` or `npm update`) might pull versions of libraries that are indeed affected. Please make sure to understand the risk involved here and consider to postpone any update of npm-dependencies until the attack and its consequences are mitigated. If you indeed need to update npm-dependencies now, please make sure to check the implied changes in the package-lock.json thoroughly against an up-to-date list of affected packages.
It currently looks as if we are safe and can weather this situation just fine, which is a direct consequence of our tightened procedures around our dependencies, especially the centralized handling and the Dependency Jour Fixe. Good job everyone!
If there are any questions or ideas, feel warmly welcome to reach out to us via tb(a)ilias.de or Discord.
Kind regards!
Richard Klees
for the Technical Board of the ILIAS Society
--
and also:
Geschäftsführung
Fon: +49 (0)221 / 46 75 76 - 56
Fax: +49 (0)221 / 46 75 76 - 09
---------------------------------------------
CaT Concepts and Training GmbH
Subbelrather Str. 15 B
50823 Köln
Fon: +49 (0) 221 / 46 75 76 - 00
Fax: +49 (0) 221 / 46 75 76 - 09
Web:
https://www.concepts-and-training.dehttps://www.cate-lms.de
---------------------------------------------
Geschäftsführung:
Claudia Glander, Gerald Konrad, Richard Klees
Amtsgericht Köln HRB 57804
Ust-ID-Nr.: DE 814694228
Sitz: Köln
---------------------------------------------
Sollten Sie weitere Informationen zu der Verarbeitung Ihrer Daten (Art. 12 ff., DSGVO) wünschen, informieren Sie sich unter:
https://concepts-and-training.de/datenschutz-kunden.html
Dear all,
We are postponing the release of ILIAS 9.14 today to next Tuesday 23 September due to pending fixes.We also intend to publish ILIAS 8.23 and 10.2 on next Tuesday.
Best regards
Fabian Wolf
Dear all,
We would like to publish ILIAS 9.14 on Tuesday, September 16, 2025.
If you need more time to fix issues that should become part of this release, please let me know.
Best regards
Fabian Wolf