Closed jonataswalker closed 1 year ago
@jonataswalker what exactly tool reports that to you?
Note that all package does is that it prints short message on installation, nothing harmful and that unusual (hundreds of npm packages do that)
This is known to be reported by russian owned anti-virus tools (we're discussing it at #186)
@jonataswalker is there a dedicated page for this violation where I can contact Sonatype
It looks like there's a path starting from https://ossindex.sonatype.org/component/pkg:npm/es5-ext
This package is flagged as problematic also by Socket, i.e. https://socket.dev/npm/package/es5-ext/issues/0.10.62
postinstall
scripts are a big red flag for security teams. Using postinstall
for political purposes, or asking for donations, or publishing news will lead to that package being slowly deprecated/banned from the communty.
Isn't it (at least) a curious "call for peace"?
I have a broken pipeline, therefore an interrupted deploy. I have to prepare a justification for the security team to suppress this issue and let the work goes on.
I have a broken pipeline, therefore an interrupted deploy. I have to prepare a justification for the security team to suppress this issue and let the work goes on.
Same. This also impacts all downstream projects, and any library that ends up installing es5-ext
through indirect dependencies. For example, if I try to add cubejs
, our security rules will block the PR for reasons that I now have to investigate/explain/defend:
I'm closing this as duplicate of https://github.com/medikoo/es5-ext/issues/186 (please funnel all discussion there).
@eugene1g as in screenshot, this package just prints a short message on installation, it's nothing to be worried about security-wise. Best if you just ignore it.
Is there a chance to make politics anywhere else?