Closed mcmire closed 1 year ago
New dependency changes detected. Learn more about Socket for GitHub βοΈ
π¨ Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@*
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore inline-source-map@0.6.2
@SocketSecurity ignore stream-splicer@2.0.1
@SocketSecurity ignore tty-browserify@0.0.1
@SocketSecurity ignore os-browserify@0.3.0
@SocketSecurity ignore for-each@0.3.3
@SocketSecurity ignore defined@1.0.1
@SocketSecurity ignore console-browserify@1.2.0
@SocketSecurity ignore md5.js@1.3.5
@SocketSecurity ignore source-map@0.5.7
@SocketSecurity ignore deps-sort@2.0.1
@SocketSecurity ignore domain-browser@1.2.0
@SocketSecurity ignore wrappy@1.0.2
@SocketSecurity ignore browserify-zlib@0.2.0
@SocketSecurity ignore des.js@1.0.1
@SocketSecurity ignore function-bind@1.1.1
@SocketSecurity ignore asn1.js@5.4.1
@SocketSecurity ignore brorand@1.1.0
@SocketSecurity ignore simple-concat@1.0.1
@SocketSecurity ignore path-parse@1.0.7
@SocketSecurity ignore supports-preserve-symlinks-flag@1.0.0
@SocketSecurity ignore buffer-xor@1.0.3
@SocketSecurity ignore balanced-match@1.0.2
@SocketSecurity ignore available-typed-arrays@1.0.5
@SocketSecurity ignore labeled-stream-splicer@2.0.2
@SocketSecurity ignore buffer@5.2.1
@SocketSecurity ignore timers-browserify@1.4.2
@SocketSecurity ignore stream-http@3.2.0
@SocketSecurity ignore through@2.2.7
@SocketSecurity ignore miller-rabin@4.0.1
@SocketSecurity ignore once@1.4.0
@SocketSecurity ignore is-generator-function@1.0.10
@SocketSecurity ignore has-symbols@1.0.3
@SocketSecurity ignore call-bind@1.0.2
@SocketSecurity ignore events@3.3.0
@SocketSecurity ignore vm-browserify@1.1.2
@SocketSecurity ignore browserify-des@1.0.2
@SocketSecurity ignore browserify-cipher@1.0.1
@SocketSecurity ignore create-ecdh@4.0.4
@SocketSecurity ignore object-assign@4.1.1
@SocketSecurity ignore isarray@1.0.0
@SocketSecurity ignore is-arguments@1.1.1
@SocketSecurity ignore brace-expansion@1.1.11
@SocketSecurity ignore has-tostringtag@1.0.0
@SocketSecurity ignore xtend@4.0.2
@SocketSecurity ignore is-buffer@1.1.6
@SocketSecurity ignore lodash.memoize@3.0.4
@SocketSecurity ignore stream-browserify@3.0.0
@SocketSecurity ignore get-assigned-identifiers@1.2.0
@SocketSecurity ignore inflight@1.0.6
@SocketSecurity ignore evp_bytestokey@1.0.3
Ignoring: acorn@7.4.1
, browser-pack@6.1.0
, browser-resolve@2.0.0
, browserify@17.0.0
, convert-source-map@1.1.3
, dash-ast@1.0.0
, detective@5.2.1
, fs.realpath@1.0.0
, glob@7.2.3
, insert-module-globals@7.2.1
, JSONStream@1.3.5
, mkdirp-classic@0.5.3
, module-deps@6.2.3
, public-encrypt@4.0.3
, resolve@1.22.2
, sha.js@2.4.11
, syntax-error@1.4.0
, umd@3.0.3
, undeclared-identifiers@1.1.3
, builtin-status-codes@3.0.0
, https-browserify@1.0.0
, concat-map@0.0.1
, parents@1.0.1
, read-only-stream@2.0.0
, stream-combiner2@1.1.1
, subarg@1.0.0
, typedarray@0.0.6
, acorn-walk@7.2.0
, assert@1.5.0
, browserify-aes@1.2.0
, browserify-rsa@4.1.0
, browserify-sign@4.2.1
, buffer-from@1.1.2
, cached-path-relative@1.1.0
, create-hash@1.2.0
, create-hmac@1.1.7
, inherits@2.0.1
, inherits@2.0.4
, minimalistic-assert@1.0.1
, parse-asn1@5.1.6
, process-nextick-args@2.0.1
, randombytes@2.1.0
, randomfill@1.0.4
, readable-stream@2.3.8
, readable-stream@3.6.2
, ripemd160@2.0.2
, string_decoder@1.1.1
, string_decoder@1.3.0
, url@0.11.0
, querystring@0.2.0
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.
Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.
Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.
Issue | Status |
---|---|
Critical CVE | β 0 issues |
CVE | β 0 issues |
Mild CVE | β 0 issues |
Install scripts | β 0 issues |
Native code | β 0 issues |
Bin script confusion | β 0 issues |
Bin script shell injection | β 0 issues |
Filesystem access | β 0 issues |
Network access | β 0 issues |
Shell access | β 0 issues |
Unresolved require | β 0 issues |
Invalid package.json | β 0 issues |
HTTP dependency | β 0 issues |
Git dependency | β 0 issues |
GitHub dependency | β 0 issues |
No bug tracker | β 0 issues |
No contributors or author data | β 0 issues |
No README | β 0 issues |
Deprecated | β 0 issues |
New author | β οΈ 13 issues |
Unstable ownership | β 0 issues |
Non-existent author | β 0 issues |
Unmaintained | β οΈ 80 issues |
Unpublished package | β 0 issues |
Potential typo squat | β 0 issues |
Known Malware | β 0 issues |
Telemetry | β 0 issues |
Protestware/Troll package | β 0 issues |
AI detected security risk | β 0 issues |
AI warning | β 0 issues |
π Modified Dependency Overview:
β Added Package | Capability Access | +/- Transitive Count |
Publisher |
---|---|---|---|
browserify@17.0.0 | eval, network, filesystem, shell, environment | +147 |
goto-bus-stop |
@danfinlay I would love to use our GH Pages action, but it assumes that the project uses Yarn, which this one does not (yet). It may be an easy fix to make that work, but I wasn't sure. I figure we can just manually push to gh-pages
for now until I can get that set up. But that would be a next logical step to automate redeploying to GH Pages when a new commit is added to master
.
yeah, we update this so infrequently that I donβt think itβs terrible to just heard code a build
@SocketSecurity ignore acorn@7.4.1
@SocketSecurity ignore browser-pack@6.1.0
@SocketSecurity ignore browser-resolve@2.0.0
@SocketSecurity ignore browserify@17.0.0
@SocketSecurity ignore convert-source-map@1.1.3
@SocketSecurity ignore dash-ast@1.0.0
@SocketSecurity ignore detective@5.2.1
@SocketSecurity ignore fs.realpath@1.0.0
@SocketSecurity ignore glob@7.2.3
@SocketSecurity ignore insert-module-globals@7.2.1
@SocketSecurity ignore JSONStream@1.3.5
@SocketSecurity ignore mkdirp-classic@0.5.3
@SocketSecurity ignore module-deps@6.2.3
@SocketSecurity ignore public-encrypt@4.0.3
@SocketSecurity ignore resolve@1.22.2
@SocketSecurity ignore sha.js@2.4.11
@SocketSecurity ignore syntax-error@1.4.0
@SocketSecurity ignore umd@3.0.3
@SocketSecurity ignore undeclared-identifiers@1.1.3
@SocketSecurity ignore builtin-status-codes@3.0.0
@SocketSecurity ignore https-browserify@1.0.0
@SocketSecurity ignore concat-map@0.0.1
@SocketSecurity ignore parents@1.0.1
@SocketSecurity ignore read-only-stream@2.0.0
@SocketSecurity ignore stream-combiner2@1.1.1
@SocketSecurity ignore subarg@1.0.0
@SocketSecurity ignore typedarray@0.0.6
@SocketSecurity ignore acorn-walk@7.2.0
@SocketSecurity ignore assert@1.5.0
@SocketSecurity ignore browserify-aes@1.2.0
@SocketSecurity ignore browserify-rsa@4.1.0
@SocketSecurity ignore browserify-sign@4.2.1
@SocketSecurity ignore buffer-from@1.1.2
@SocketSecurity ignore cached-path-relative@1.1.0
@SocketSecurity ignore create-hash@1.2.0
@SocketSecurity ignore create-hmac@1.1.7
@SocketSecurity ignore inherits@2.0.1
@SocketSecurity ignore inherits@2.0.4
@SocketSecurity ignore minimalistic-assert@1.0.1
@SocketSecurity ignore parse-asn1@5.1.6
@SocketSecurity ignore process-nextick-args@2.0.1
@SocketSecurity ignore randombytes@2.1.0
@SocketSecurity ignore randomfill@1.0.4
@SocketSecurity ignore readable-stream@2.3.8
@SocketSecurity ignore readable-stream@3.6.2
@SocketSecurity ignore ripemd160@2.0.2
@SocketSecurity ignore string_decoder@1.1.1
@SocketSecurity ignore string_decoder@1.3.0
@SocketSecurity ignore url@0.11.0
@SocketSecurity ignore querystring@0.2.0
w/e
Add a
build-demo
script which will build the demo page to thedemo-build/
directory. This directory can then be copied to agh-pages
branch so that we can publish the demo page to GitHub Pages.Also, considering that we also need an HTML file to build the demo page, move that along with the JavaScript file to the
demo/
directory.