Closed boeckMt closed 1 year ago
New dependency changes detected. Learn more about Socket for GitHub ↗︎
🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@*
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore esbuild@0.15.5
@SocketSecurity ignore es5-ext@0.10.62
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Package | Script field | Source |
---|---|---|
esbuild@0.15.5 (upgraded) | postinstall |
package-lock.json via @angular-devkit/build-angular@14.2.11, ng-packagr@14.2.2 |
es5-ext@0.10.62 (upgraded) | postinstall |
package-lock.json via @compodoc/compodoc@1.1.19, projects/demo-maps/package.json via @dlr-eoc/services-ogc@11.0.0-alpha.1, projects/services-ogc/package.json via opensearch-browser@2.0.0-alpha.6 |
Issue | Status |
---|---|
Install scripts | ⚠️ 2 issues |
Native code | ✅ 0 issues |
Bin script shell injection | ✅ 0 issues |
Unresolved require | ✅ 0 issues |
Invalid package.json | ✅ 0 issues |
HTTP dependency | ✅ 0 issues |
Git dependency | ✅ 0 issues |
Potential typo squat | ✅ 0 issues |
Known Malware | ✅ 0 issues |
Telemetry | ✅ 0 issues |
Protestware/Troll package | ✅ 0 issues |
📊 Modified Dependency Overview:
🚮 Removed packages: @types/node@14.18.23
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
The management of dependencies in the repository is done in the root package.json, so npm install only uses this as source. It would be better to only declare dependencies in the packages that actually use them. With npm workspaces it is possible to install and declare dependencies more pertinent to the appropriate packages.
To sync versions for some of the dependencies we used placeholders that were replaced at build time. Unfortunately, this is currently not possible with workspaces and the placeholders prevent the installation of workspaces.
Issue Number: https://github.com/dlr-eoc/ukis-frontend-libraries/issues/55
What is the new behavior?
All package versions are now managed trough npm workspaces.
To sync versions a small script in ukis-libraries-scripts has been implemented and all versions are now set to current versions to remove the placeholders.
Does this PR introduce a breaking change?
Other information
Is it part of one/more packages and which?