Closed shilman closed 1 year ago
New dependency changes detected. Learn more about Socket for GitHub ↗︎
🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@*
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore core-js@3.27.2
@SocketSecurity ignore esbuild@0.17.14
@SocketSecurity ignore jest@27.5.1
@SocketSecurity ignore jest-cli@27.5.1
@SocketSecurity ignore @auto-it/core@10.37.6
@SocketSecurity ignore @auto-it/npm@10.37.6
@SocketSecurity ignore @aw-web-design/x-default-browser@1.4.88
@SocketSecurity ignore babel-plugin-istanbul@6.1.1
@SocketSecurity ignore commander@2.20.3
@SocketSecurity ignore commander@9.5.0
@SocketSecurity ignore cross-spawn@7.0.3
@SocketSecurity ignore envinfo@7.8.1
@SocketSecurity ignore execa@5.1.1
@SocketSecurity ignore fb-watchman@2.0.2
@SocketSecurity ignore gitlog@4.0.4
@SocketSecurity ignore jake@10.8.5
@SocketSecurity ignore jest-haste-map@29.3.1
@SocketSecurity ignore jest-worker@27.5.1
@SocketSecurity ignore jest-worker@29.3.1
@SocketSecurity ignore jscodeshift@0.14.0
@SocketSecurity ignore jsdom@16.7.0
@SocketSecurity ignore pidtree@0.6.0
@SocketSecurity ignore requireg@0.2.2
@SocketSecurity ignore shelljs@0.8.5
@SocketSecurity ignore tree-kill@1.2.2
@SocketSecurity ignore ts-node@10.9.1
@SocketSecurity ignore typescript@4.9.4
@SocketSecurity ignore update-browserslist-db@1.0.10
@SocketSecurity ignore webpack@5.75.0
@SocketSecurity ignore @sinclair/typebox@0.24.51
@SocketSecurity ignore @storybook/components@7.0.0
@SocketSecurity ignore @storybook/router@7.0.0
@SocketSecurity ignore ajv@6.12.6
@SocketSecurity ignore depd@2.0.0
@SocketSecurity ignore ejs@3.1.8
@SocketSecurity ignore expect@27.5.1
@SocketSecurity ignore handlebars@4.7.7
@SocketSecurity ignore is-callable@1.2.7
@SocketSecurity ignore jest-diff@27.5.1
@SocketSecurity ignore js-yaml@3.14.1
@SocketSecurity ignore lodash@4.17.21
@SocketSecurity ignore object-inspect@1.12.3
@SocketSecurity ignore prettier@2.8.3
@SocketSecurity ignore pretty-format@27.5.1
@SocketSecurity ignore rollup@3.10.1
@SocketSecurity ignore telejson@7.0.4
@SocketSecurity ignore tsup@6.5.0
@SocketSecurity ignore uglify-js@3.17.4
@SocketSecurity ignore @storybook/blocks@7.0.0
@SocketSecurity ignore await-to-js@3.0.0
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Package | Script field | Source |
---|---|---|
core-js@3.27.2 (upgraded) | postinstall |
package.json via @storybook/addon-interactions@7.0.0, @storybook/testing-library@0.0.14-next.1 |
esbuild@0.17.14 (added) | postinstall |
package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0, tsup@6.5.0 |
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Consider removing one of the conflicting packages. Packages should only export bin scripts with their name
Package | Bin script | Source |
---|---|---|
jest@27.5.1 (upgraded) | jest |
package.json via ts-jest@27.1.5 |
jest-cli@27.5.1 (upgraded) | jest |
package.json via jest@27.5.1, ts-jest@27.1.5 |
This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Avoid packages that use eval, since this could potentially execute any code.
For SB 7.0 release