medikoo
commented
1 month ago I've added extra explanation in top description
Open aviramha opened 1 year ago
medikoo
commented
1 month ago I've added extra explanation in top description
scotty6435
commented
1 month ago The problem is it's presence, not it's context
medikoo
commented
1 week ago 
PeterDaveHello
commented
1 week ago @medikoo not sure if you'd like to lock this issue as there's no more helpful discussion.
Note from the maintainer:
This package conditionally displays a friendly message when installed via npm.
_The message appears only if the computer's locale timezone is set to one of the Russian timezones and politely advises users to seek reliable sources of truth regarding the war in Ukraine. The message is short and concise._
Note that it is not uncommon for npm packages to print some information upon installation. Hundreds of packages on npm do this: https://github.com/search?q=%22%5C%22postinstall%5C%22%22+language:json&type=code. Are they reported by any anti-virus software?
This post-install logic is not part of the package's core functionality. It does not affect how the package operates when used. If you rely on a prepackaged product that depends on this package, this logic is not included in your product.
At worst, this behavior could be considered protestware, but labeling it as dangerous to users is simply incorrect. If any anti-virus software flags this behavior, please report it to them, as this is a bug on their side that unnecessarily complicates your experience.
Original post:
We updated our version of es5-ext and faced an error when publishing to VS Code marketplace when they ran anti virus scan. Checking it offline, we found out that VirusTotal started detecting the version with the manifest as a virus, hence forcing us to stay with last version before manifest.
I don't wish to get into the politics and decision - I believe this is entirely up to the package creator and maintainer to decide as it's their software, but opening this as a FYI.