Open Powersource opened 1 year ago
New dependency changes detected. Learn more about Socket for GitHub ↗︎
🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@*
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore blake3@2.1.7
@SocketSecurity ignore ssb-buttwoo@0.3.3
@SocketSecurity ignore ssb-classic@1.1.0
@SocketSecurity ignore ssb-db2@6.3.3
@SocketSecurity ignore ssb-index-feeds@0.10.2
@SocketSecurity ignore ssb-network-errors@1.0.1
@SocketSecurity ignore ssb-subset-ql@1.0.1
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Package | Script field | Source |
---|---|---|
blake3@2.1.7 (added) | install |
package.json via ssb-ebt@9.1.2 |
License is deprecated which may have legal implications regarding the package's use.
Update or change the license to a well-known or updated license.
Package | License | Source |
---|---|---|
ssb-buttwoo@0.3.3 (added) | LGPL-3.0 | package.json via ssb-ebt@9.1.2 |
ssb-classic@1.1.0 (added) | LGPL-3.0 | package.json via ssb-db2@6.3.3, ssb-ebt@9.1.2 |
ssb-db2@6.3.3 (added) | LGPL-3.0 | package.json via ssb-ebt@9.1.2 |
ssb-index-feeds@0.10.2 (added) | LGPL-3.0 | package.json via ssb-ebt@9.1.2 |
ssb-network-errors@1.0.1 (added) | LGPL-3.0 | package.json via ssb-ebt@9.1.2 |
ssb-subset-ql@1.0.1 (added) | LGPL-3.0 | package.json via ssb-ebt@9.1.2 |
Issue | Status |
---|---|
Install scripts | ⚠️ 1 issue |
Native code | ✅ 0 issues |
Bin script shell injection | ✅ 0 issues |
Unresolved require | ✅ 0 issues |
Invalid package.json | ✅ 0 issues |
HTTP dependency | ✅ 0 issues |
Git dependency | ✅ 0 issues |
Deprecated license | ⚠️ 6 issues |
Missing license | ✅ 0 issues |
Potential typo squat | ✅ 0 issues |
Known Malware | ✅ 0 issues |
Telemetry | ✅ 0 issues |
Protestware/Troll package | ✅ 0 issues |
📊 Modified Dependency Overview:
➕ Added Package | Capability Access | +/- Transitive Count |
Publisher |
---|---|---|---|
pull-many@1.0.9 | None | +0 |
dominictarr |
ssb-ebt@9.1.2 | network, environment | +10 |
staltz |
anyone want to adopt this pr? it seems i won't need it for my tribes2 pr @arj03 @mixmix @staltz
fixes https://github.com/ssbc/ssb-meta-feeds/issues/114