Violation of Security-Malicious

[jonataswalker]

Is there a chance to make politics anywhere else?

[medikoo]

@jonataswalker what exactly tool reports that to you?

Note that all package does is that it prints short message on installation, nothing harmful and that unusual (hundreds of npm packages do that)

This is known to be reported by russian owned anti-virus tools (we're discussing it at #186)

[jonataswalker]

IQ Server - Sonatype

[medikoo]

@jonataswalker is there a dedicated page for this violation where I can contact Sonatype

[jonataswalker]

It looks like there's a path starting from https://ossindex.sonatype.org/component/pkg:npm/es5-ext

[eugene1g]

This package is flagged as problematic also by Socket, i.e. https://socket.dev/npm/package/es5-ext/issues/0.10.62

postinstall scripts are a big red flag for security teams. Using postinstall for political purposes, or asking for donations, or publishing news will lead to that package being slowly deprecated/banned from the communty.

[jonataswalker]

Isn't it (at least) a curious "call for peace"?

I have a broken pipeline, therefore an interrupted deploy. I have to prepare a justification for the security team to suppress this issue and let the work goes on.

[eugene1g]

I have a broken pipeline, therefore an interrupted deploy. I have to prepare a justification for the security team to suppress this issue and let the work goes on.

Same. This also impacts all downstream projects, and any library that ends up installing es5-ext through indirect dependencies. For example, if I try to add cubejs, our security rules will block the PR for reasons that I now have to investigate/explain/defend:

[medikoo]

I'm closing this as duplicate of https://github.com/medikoo/es5-ext/issues/186 (please funnel all discussion there).

@eugene1g as in screenshot, this package just prints a short message on installation, it's nothing to be worried about security-wise. Best if you just ignore it.