Missing vulnerability details - styled-components - sonatype-2022-2249

[albertwangnz]

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/sonatype-2022-2249?component-type=npm&component-name=styled-components

Component URL

https://ossindex.sonatype.org/component/pkg:npm/styled-components

Description OSSINDEX reports the vulnerability [sonatype-2022-2249 - The application contains code that appears to be malicious in nature] in styled-components. It provides the reference.

However, there is no related information in the reference.

Can anybody explain the issue?

Thank you.

[albertwangnz]

Reply from ken-duck

The styled-components package has an Unintended Behavior. The postinstall.js file looks for users using a ru time-zone to show a political protest message using the console.warn() function. Also, the absence of this file in the 5.3.4 version causes a crash when the package is installed.

[albertwangnz]

Hi @ken-duck sorry to bother you again. About [The postinstall.js file looks for users using a ru time-zone to show a political protest message using the console.warn() function.].

I cannot find the file [postinstall.js] on their GitHub https://github.com/styled-components/styled-components. Do you know where the file locates?

Thank you.

[drewheasman]

@albertwangnz - here is the file: https://github.com/styled-components/styled-components/blob/legacy-v5/packages/styled-components/postinstall.js on the legacy-v5 branch

[albertwangnz]

@albertwangnz - here is the file: https://github.com/styled-components/styled-components/blob/legacy-v5/packages/styled-components/postinstall.js on the legacy-v5 branch

Thanks, @drewheasman , I now also see the file on the other v5 tags, like v5.3.6.

[albertwangnz]

I can find the Unintended Behavior code so I will close the issue here. Thank you.