Closed vbar closed 1 year ago
Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.
This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.
Package | Note | Source |
---|---|---|
es5-ext@0.10.62 (added) | This package prints a protestware console message on install regarding Ukraine for users with Russian language locale | hook-api-examples/carbon/package.json via xrpl-client@2.0.1, websocket@1.0.34,hook-api-examples/firewall/package.json via xrpl-client@2.0.1, websocket@1.0.34,hook-api-examples/notary/package.json via xrpl-client@2.0.1, websocket@1.0.34,hook-api-examples/peggy/package.json via xrpl-client@2.0.1, websocket@1.0.34,hook-api-examples/starter/package.json via xrpl-client@2.0.1, websocket@1.0.34 |
Issue | Status |
---|---|
Install scripts | ⚠️ 7 issues |
Native code | ⚠️ 3 issues |
Bin script confusion | ✅ 0 issues |
Bin script shell injection | ✅ 0 issues |
Unresolved require | ✅ 0 issues |
Invalid package.json | ✅ 0 issues |
HTTP dependency | ✅ 0 issues |
Git dependency | ✅ 0 issues |
Potential typo squat | ✅ 0 issues |
Known Malware | ✅ 0 issues |
Telemetry | ✅ 0 issues |
Protestware/Troll package | ⚠️ 1 issue |
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2
@SocketSecurity ignore tiny-secp256k1@1.1.6
@SocketSecurity ignore bufferutil@4.0.7
@SocketSecurity ignore utf-8-validate@5.0.10
@SocketSecurity ignore es5-ext@0.10.62
⚠️ Please accept the latest app permissions to ensure bot commands work properly. Accept the new permissions here.
Powered by socket.dev
Moved examples to separate directories. Added Node.JS scripts to compile, deploy and test them, plus a README to describe dependencies and steps.