socket-security[bot]
commented
1 year ago Socket Security Pull Request Report
Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.
📜 Install scripts
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
| Package | Script field | Location |
|---|---|---|
| @parcel/watcher@2.0.4 (added) | binding.gyp |
package.json via nx@15.0.8 |
| nx@15.0.8 (added) | postinstall |
package.json |
| @parcel/watcher@2.0.4 (added) | install |
package.json via nx@15.0.8 |
🫣 Native code
Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.
| Package | Location |
|---|---|
| @parcel/watcher@2.0.4 (added) | package.json via nx@15.0.8 |
😵💫 Bin script confusion
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Consider removing one of the conflicting packages. Packages should only export bin scripts with their name
| Package | Bin script | Location |
|---|---|---|
| @zkochan/js-yaml@0.0.6 (added) | js-yaml |
package.json via nx@15.0.8 |
| js-yaml@3.13.1 (added) | js-yaml |
package.json via @istanbuljs/load-nyc-config@1.1.0,packages/tts-app/package.json via codecov@3.7.1,packages/tts-cli/package.json via codecov@3.7.1,packages/tts-lib/package.json via codecov@3.7.1,packages/web-tts/package.json via nyc@15.1.0, @istanbuljs/load-nyc-config@1.1.0 |
| js-yaml@3.14.1 (added) | js-yaml |
package.json via nx@15.0.8, @yarnpkg/parsers@3.0.0-rc.27,packages/web-tts/package.json |
| js-yaml@4.1.0 (added) | js-yaml |
package.json,packages/web-tts/package.json via standard@14.3.4, eslint-config-standard@14.1.1, eslint@8.26.0 |
Pull request report summary
| Issue | Status |
|---|---|
| Install scripts | ⚠️ 3 issues |
| Native code | ⚠️ 1 issue |
| Bin script confusion | ⚠️ 4 issues |
| Bin script shell injection | ✅ 0 issues |
| Unresolved require | ✅ 0 issues |
| Invalid package.json | ✅ 0 issues |
| HTTP dependency | ✅ 0 issues |
| Git dependency | ✅ 0 issues |
| Non-existent author | ✅ 0 issues |
| Potential typo squat | ✅ 0 issues |
| Known Malware | ✅ 0 issues |
| Telemetry | ✅ 0 issues |
| Protestware/Troll package | ✅ 0 issues |
Bot Commands
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2
@SocketSecurity ignore @parcel/watcher@2.0.4@SocketSecurity ignore nx@15.0.8@SocketSecurity ignore @zkochan/js-yaml@0.0.6@SocketSecurity ignore js-yaml@3.13.1@SocketSecurity ignore js-yaml@3.14.1
Powered by socket.dev
Fixes parse-url security alert.