socket-security[bot]
commented
1 year ago Socket Security Pull Request Report
Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.
📜 Install scripts
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
| Package | Script field | Source |
|---|---|---|
| @swc/core@1.3.32 (added) | postinstall |
examples/react-18/package.json via @vitejs/plugin-react-swc@3.1.0, packages/builder-vite/package.json via @vitejs/plugin-react-swc@3.1.0 |
⚠️ Uses eval
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Avoid packages that use eval, since this could potentially execute any code.
tastafur
Fixes https://github.com/storybookjs/builder-vite/issues/551
This will first look for
@vitejs/plugin-react, then@vitejs/plugin-react-swc. It seems like the SWC version might not work with MDX stories, though. I updated the react-18 example to use it, and the intro story doesn't load. I don't think that should necessarily block this PR though.