This is a false positive security alert, triggered due to someone publishing a fake malware analyticsdx-template-lint package to npm, which npm caught, removed, and then published an empty marker package for, which triggered the github alert. However, in this repo, analytics-template-lint is an internal source folder referenced via lerna and never downloaded from npm, so it was not actually affected by the npm security alert.
In any case, switching the name of the internal source package to @salesforce/analyticsdx-template-lint should
Make the false-positive security alert go away.
Prevent this case in the future since only validated people should be able to publish to the @salesforce npm scope.
Fixes the security alert on analyticsdx-template-lint.
This is a false positive security alert, triggered due to someone publishing a fake malware analyticsdx-template-lint package to npm, which npm caught, removed, and then published an empty marker package for, which triggered the github alert. However, in this repo, analytics-template-lint is an internal source folder referenced via lerna and never downloaded from npm, so it was not actually affected by the npm security alert.
In any case, switching the name of the internal source package to
@salesforce/analyticsdx-template-lintshould@salesforcenpm scope.