Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade @docusaurus/core from 2.1.0 to 3.4.0 #826

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

q1blue
Copy link
Collaborator

@q1blue q1blue commented Aug 27, 2024

snyk-top-banner

Snyk has created this PR to upgrade @docusaurus/core from 2.1.0 to 3.4.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

  • The recommended version is 20 versions ahead of your current version.

  • The recommended version was released on 3 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-6147607
109 Proof of Concept
critical severity Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462
109 Proof of Concept
high severity Sandbox Bypass
SNYK-JS-WEBPACK-3358798
109 Proof of Concept
high severity Path Traversal
SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
109 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
109 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HTTPCACHESEMANTICS-3248783
109 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-JSON5-3182856
109 Proof of Concept
medium severity Improper Input Validation
SNYK-JS-POSTCSS-5926692
109 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SIDEWAYFORMULA-3317169
109 No Known Exploit
Release notes
Package name: @docusaurus/core
  • 3.4.0 - 2024-05-31

    3.4.0 (2024-05-31)

    🚀 New Feature

    • create-docusaurus, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-theme-classic, docusaurus-utils-validation, docusaurus-utils
      • #10137 feat(docs, blog): add support for tags.yml, predefined list of tags (@ OzakIOne)
    • docusaurus-theme-translations
      • #10151 feat(theme-translations): Added Turkmen (tk) default theme translations (@ ilmedova)
      • #10111 feat(theme-translations): Add Bulgarian default theme translations (bg) (@ PetarMc1)
    • docusaurus-plugin-client-redirects, docusaurus-plugin-content-blog, docusaurus-plugin-pwa, docusaurus-plugin-sitemap, docusaurus-theme-search-algolia, docusaurus-types, docusaurus-utils, docusaurus
      • #9859 feat(core): hash router option - browse site offline (experimental) (@ slorber)
    • docusaurus-module-type-aliases, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-types, docusaurus
      • #10121 feat(core): site storage config options (experimental) (@ slorber)

    🐛 Bug Fix

    • docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-utils
      • #10185 fix(docs, blog): Markdown link resolution does not support hot reload (@ slorber)
    • docusaurus-theme-search-algolia
    • docusaurus-mdx-loader, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-utils
      • #10168 fix(mdx-loader): resolve Markdown/MDX links with Remark instead of RegExp (@ slorber)
    • docusaurus-theme-translations
    • docusaurus
      • #10145 fix(core): fix serve workaround regexp (@ slorber)
      • #10142 fix(core): fix docusaurus serve broken for assets when using trailingSlash (@ slorber)
      • #10130 fix(core): the broken anchor checker should not be sensitive pathname trailing slashes (@ slorber)
    • docusaurus-theme-classic, docusaurus-theme-common
      • #10144 fix(theme): fix announcement bar layout shift due to missing storage key namespace (@ slorber)
    • docusaurus-plugin-content-docs, docusaurus
      • #10132 fix(core): configurePostCss() should run after configureWebpack() (@ slorber)
    • docusaurus-utils, docusaurus
      • #10131 fix(core): codegen should generate unique route prop filenames (@ slorber)
    • docusaurus-theme-classic, docusaurus-theme-translations
      • #10118 fix(theme-translations): fix missing pluralization for label DocCard.categoryDescription.plurals (@ slorber)

    📝 Documentation

    • #10176 docs: add community plugin docusaurus-graph (@ Arsero)
    • #10173 docs: improve how to use <details> (@ tats-u)
    • #10167 docs: suggest using {<...>...</...>} if don't use Markdown in migra… (@ tats-u)
    • #10143 docs: recommend users to remove hast-util-is-element in migration to v3 (@ tats-u)
    • #10124 docs: v3 prepare your site blog post should point users to the upgrade guide (@ homotechsual)

    🤖 Dependencies

    Committers: 11

  • 3.3.2 - 2024-05-03

    v3.3.2

  • 3.3.1 - 2024-05-03

    v3.3.1

  • 3.3.0 - 2024-05-03

    3.3.0 (2024-05-03)

    🚀 New Feature

    • docusaurus-plugin-sitemap
    • docusaurus-mdx-loader, docusaurus-types, docusaurus
      • #10064 feat(core): add new site config option siteConfig.markdown.anchors.maintainCase (@ iAdramelk)
    • docusaurus
      • #9767 feat(cli): docusaurus deploy should support a --target-dir option (@ SandPod)
    • docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-debug, docusaurus-types, docusaurus
    • docusaurus-plugin-content-pages, docusaurus-theme-classic, docusaurus-theme-common
      • #10032 feat(pages): add LastUpdateAuthor & LastUpdateTime & editUrl (@ OzakIOne)

    🐛 Bug Fix

    • docusaurus-cssnano-preset, docusaurus-utils, docusaurus
    • docusaurus-theme-classic
      • #10091 fix(theme): <Tabs> props should allow overriding defaults (@ gagdiez)
      • #10080 fix(theme): <Admonition> should render properly without heading/icon (@ andrmaz)
    • docusaurus
      • #10090 fix(core): docusaurus serve redirects should include the site /baseUrl/ prefix (@ slorber)
    • docusaurus-module-type-aliases, docusaurus-preset-classic, docusaurus-theme-classic, docusaurus-theme-live-codeblock, docusaurus
    • docusaurus-theme-translations
      • #10070 fix(theme-translations): add missing theme translations for pt-BR (@ h3nr1ke)
      • #10051 fix(theme-translations): correct label for tip admonition in italian (@ tomsotte)
    • docusaurus-theme-search-algolia
      • #10048 fix(algolia): add insights property on Algolia Theme Config object TS definition (@ Virgil993)
    • docusaurus-plugin-content-docs, docusaurus
      • #10054 fix(core): sortRoutes shouldn't have a default baseUrl value, this led to a bug (@ slorber)
    • docusaurus-plugin-content-docs
    • docusaurus-utils
      • #10022 fix(utils): getFileCommitDate should support log.showSignature=true (@ slorber)

    🏃‍♀️ Performance

    • docusaurus
      • #10060 refactor(core): optimize App entrypoint, it should not re-render when navigating (@ slorber)

    💅 Polish

    • docusaurus-theme-classic
      • #10061 refactor(theme): simplify CSS solution to solve empty search container (@ slorber)
    • docusaurus-theme-common

    📝 Documentation

    🤖 Dependencies

    🔧 Maintenance

    • create-docusaurus, docusaurus-cssnano-preset, docusaurus-logger, docusaurus-mdx-loader, docusaurus-plugin-client-redirects, docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-debug, docusaurus-plugin-google-analytics, docusaurus-plugin-google-gtag, docusaurus-plugin-google-tag-manager, docusaurus-plugin-ideal-image, docusaurus-plugin-pwa, docusaurus-plugin-sitemap, docusaurus-plugin-vercel-analytics, docusaurus-preset-classic, docusaurus-remark-plugin-npm2yarn, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-theme-live-codeblock, docusaurus-theme-mermaid, docusaurus-theme-search-algolia, docusaurus-theme-translations, docusaurus-utils-common, docusaurus-utils-validation, docusaurus-utils, docusaurus, eslint-plugin, lqip-loader, stylelint-copyright
      • #10065 refactor: extract base TS client config + upgrade TS + refactor TS setup (@ slorber)
    • Other
      • #10063 test(e2e): TypeCheck website/starter in min/max range of TS versions (@ slorber)
      • #10049 fix(website): fix website manifest.json name "Docusaurus v2" to just "Docusaurus" (@ volcanofr)

    Committers: 20

  • 3.2.1 - 2024-04-04

    3.2.1 (2024-04-04)

    🐛 Bug Fix

    • docusaurus

    📝 Documentation

    🤖 Dependencies

    Committers: 2

  • 3.2.0 - 2024-03-29

    3.2.0 (2024-03-29)

    🚀 New Feature

    • docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-plugin-sitemap, docusaurus-types, docusaurus-utils, docusaurus
    • docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-utils-validation, docusaurus-utils
    • docusaurus-plugin-debug, docusaurus-types, docusaurus
      • #9931 feat(core): add new plugin allContentLoaded lifecycle (@ slorber)
    • docusaurus-theme-translations
    • docusaurus-plugin-content-blog
      • #9886 feat(blog): allow processing blog posts through a processBlogPosts function (@ OzakIOne)
      • #9838 feat(blog): add blog pageBasePath plugin option (@ ilg-ul)
    • docusaurus
      • #9681 feat(swizzle): ask user preferred language if no language CLI option provided (@ yixiaojiu)
    • create-docusaurus, docusaurus-utils
      • #9442 feat(create-docusaurus): ask user for preferred language when no language CLI option provided (@ Rafael-Martins)
    • docusaurus-plugin-vercel-analytics
      • #9687 feat(plugin-vercel-analytics): add new vercel analytics plugin (@ OzakIOne)
    • docusaurus-mdx-loader
      • #9684 feat(mdx-loader): the table-of-contents should display toc/headings of imported MDX partials (@ anatolykopyl)

    🐛 Bug Fix

    • docusaurus-mdx-loader
      • #9999 fix(mdx-loader): Ignore contentTitle coming after Markdown thematicBreak (@ slorber)
    • docusaurus-theme-search-algolia
      • #9945 fix(a11y): move focus algolia-search focus back to search input on Escape (@ mxschmitt)
    • docusaurus-plugin-content-blog
    • docusaurus-theme-classic
      • #9944 fix(theme): improve a11y of DocSidebarItemCategory expand/collapsed button (@ mxschmitt)
    • docusaurus-theme-translations
    • docusaurus-utils
      • #9897 fix(mdx-loader): mdx-code-block should support CRLF (@ slorber)
    • docusaurus
      • #9878 fix(core): fix default i18n calendar used, infer it from locale if possible (@ slorber)
      • #9852 fix(core): ensure core error boundary is able to render theme layout (@ slorber)
    • docusaurus-remark-plugin-npm2yarn
      • #9861 fix(remark-npm2yarn): update npm-to-yarn from 2.0.0 to 2.2.1, fix pnpm extra args syntax (@ OzakIOne)
    • docusaurus-theme-classic, docusaurus-theme-translations
      • #9851 fix(theme-classic): should use plurals for category items description (@ baradusov)

    🏃‍♀️ Performance

    • docusaurus-types, docusaurus-utils, docusaurus
      • #9975 refactor(core): improve dev perf, fine-grained site reloads - part 3 (@ slorber)
    • docusaurus-types, docusaurus
      • #9968 refactor(core): improve dev perf, fine-grained site reloads - part2 (@ slorber)
    • docusaurus-plugin-content-docs, docusaurus-plugin-content-pages, docusaurus-types, docusaurus
      • #9903 refactor(core): improve dev perf, fine-grained site reloads - part1 (@ slorber)
    • docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-utils
    • docusaurus
      • #9798 refactor(core): internalize, simplify and optimize the SSG logic (@ slorber)

    💅 Polish

    • docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-theme-classic, docusaurus-theme-common
      • #9868 refactor(theme): dates should be formatted on the client-side instead of in nodejs code (@ OzakIOne)
    • docusaurus-plugin-content-blog, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-types
      • #9669 refactor(theme): use JSON-LD instead of microdata for blog structured data (@ johnnyreilly)
    • docusaurus-plugin-content-docs
      • #9839 refactor(blog): improve doc global data hook error message + add doc warning to blogOnly mode (@ OzakIOne)

    📝 Documentation

    🤖 Dependencies

    🔧 Maintenance

    • docusaurus-plugin-client-redirects, docusaurus-plugin-content-docs, docusaurus-utils-common, docusaurus-utils-validation, docusaurus-utils, docusaurus
    • Other
    • docusaurus-plugin-content-blog, docusaurus-plugin-content-docs, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-utils
      • #9963 refactor(docs,blog): last update timestamp should be in milliseconds instead of seconds (@ slorber)

    Committers: 22

  • 3.1.1 - 2024-01-26

    3.1.1 (2024-01-26)

    🐛 Bug Fix

    • docusaurus-types, docusaurus
      • #9791 fix(core): broken links optimization behaves differently than non-optimized logic (@ slorber)
    • docusaurus
      • #9788 fix(core): links with target "_blank" should no be checked by the broken link checker (@ slorber)
      • #9407 fix(core): conditionally include hostname parameter when using… (@ jack-robson)
    • docusaurus-utils
      • #9776 fix(mdx-loader): allow spaces before mdx-code-block info string (@ eitsupi)
    • create-docusaurus
    • docusaurus-theme-common
      • #9727 fix(theme-common): fix missing code block MagicComments style in Visual Basic (.NET) 16 (@ tats-u)
    • docusaurus-theme-classic, docusaurus-theme-mermaid
    • docusaurus-module-type-aliases, docusaurus-theme-classic, docusaurus-theme-common, docusaurus-utils, docusaurus

    🏃‍♀️ Performance

    • docusaurus

    💅 Polish

    • docusaurus-theme-classic

    Committers: 6

  • 3.1.0 - 2024-01-05
  • 3.0.1 - 2023-11-30
  • 3.0.0 - 2023-10-31
  • 3.0.0-rc.1 - 2023-10-26
  • 3.0.0-rc.0 - 2023-10-20
  • 3.0.0-beta.0 - 2023-09-15
  • 3.0.0-alpha.0 - 2023-06-15
  • 2.4.3 - 2023-09-20
  • 2.4.1 - 2023-05-15
  • 2.4.0 - 2023-03-23
  • 2.3.1 - 2023-02-03
  • 2.3.0 - 2023-01-27
  • 2.2.0 - 2022-10-29
  • 2.1.0 - 2022-09-02
from @docusaurus/core GitHub release notes

Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

[//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"","from":"docusaurus/core","to":"docusaurus/core"}],"env":"prod","hasFixes":true,"isBreakingChange":true,"isMajorUpgrade":true,"issuesToFix":[{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-SERIALIZEJAVASCRIPT-6147607","issue_id":"SNYK-JS-SERIALIZEJAVASCRIPT-6147607","priority_score":109,"priority_score_factors":[{"name":"confidentiality","value":"low"},{"name":"integrity","value":"low"},{"name":"availability","value":"none"},{"name":"scope","value":"changed"},{"name":"exploitCodeMaturity","value":"proofOfConcept"},{"name":"userInteraction","value":"required"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"network"},{"name":"epss","value":0.01055},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Tue Jan 09 2024 12:13:57 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"medium"},{"name":"relativePopularityRank","value":99},{"name":"impact","value":4.54},{"name":"likelihood","value":2.39},{"name":"scoreVersion","value":"V5"}],"severity":"medium","title":"Cross-site Scripting (XSS)"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-BABELTRAVERSE-5962462","issue_id":"SNYK-JS-BABELTRAVERSE-5962462","priority_score":235,"priority_score_factors":[{"name":"confidentiality","value":"high"},{"name":"integrity","value":"high"},{"name":"availability","value":"high"},{"name":"scope","value":"changed"},{"name":"exploitCodeMaturity","value":"proofOfConcept"},{"name":"userInteraction","value":"none"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"local"},{"name":"epss","value":0.0006},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Fri Oct 13 2023 06:39:08 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"critical"},{"name":"relativePopularityRank","value":99},{"name":"impact","value":10.1},{"name":"likelihood","value":2.33},{"name":"scoreVersion","value":"V5"}],"severity":"critical","title":"Incomplete List of Disallowed Inputs"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WEBPACK-3358798","issue_id":"SNYK-JS-WEBPACK-3358798","priority_score":165,"priority_score_factors":[{"name":"confidentiality","value":"low"},{"name":"integrity","value":"low"},{"name":"availability","value":"low"},{"name":"scope","value":"changed"},{"name":"exploitCodeMaturity","value":"proofOfConcept"},{"name":"userInteraction","value":"none"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"network"},{"name":"epss","value":0.00246},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Mon Mar 13 2023 09:02:43 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"high"},{"name":"relativePopularityRank","value":99},{"name":"impact","value":6.22},{"name":"likelihood","value":2.65},{"name":"scoreVersion","value":"V5"}],"severity":"high","title":"Sandbox Bypass"},{"exploit_maturity":"proof-of-concept","id":"SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555","issue_id":"SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555","priority_score":158,"priority_score_factors":[{"name":"confidentiality","value":"high"},{"name":"integrity","value":"none"},{"name":"availability","value":"none"},{"name":"scope","value":"changed"},{"name":"exploitCodeMaturity","value":"proofOfConcept"},{"name":"userInteraction","value":"required"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"network"},{"name":"epss","value":0.00044},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Fri Mar 22 2024 08:05:13 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"high"},{"name":"relativePopularityRank","value":99},{"name":"impact","value":6.65},{"name":"likelihood","value":2.36},{"name":"scoreVersion","value":"V5"}],"severity":"high","title":"Path Traversal"},{"exploit_maturity":"no-known-exploit","id":"SNYK-JS-EXPRESS-6474509","issue_id":"SNYK-JS-EXPRESS-6474509","priority_score":74,"priority_score_factors":[{"name":"confidentiality","value":"low"},{"name":"integrity","value":"low"},{"name":"availability","value":"none"},{"name":"scope","value":"changed"},{"name":"exploitCodeMaturity"},{"name":"userInteraction","value":"required"},{"name":"privilegesRequired","value":"none"},{"name":"attackComplexity","value":"low"},{"name":"attackVector","value":"network"},{"name":"epss","value":0.00044},{"name":"isTrending","value":false},{"name":"publicationDate","value":"Tue Mar 26 2024 07:34:23 GMT+0000 (Coordinated Universal Time)"},{"name":"isReachable","value":false},{"name":"isTransitive","value":true},{"name":"isMalicious","value":false},{"name":"businessCriticality","value":"high"},{"name":"relativeImportance","value":"medium"},{"na...

Snyk has created this PR to upgrade @docusaurus/core from 2.1.0 to 3.4.0.

See this package in npm:
@docusaurus/core

See this project in Snyk:
https://app.snyk.io/org/q1blue-rxw/project/5b430cad-b455-40c7-a7ff-af5a8804e8ca?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

changeset-bot bot commented Aug 27, 2024

⚠️ No Changeset found

Latest commit: 68d6146

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@fastify/[email protected] None 0 71 kB eomm
npm/@fastify/[email protected] None +1 99.7 kB matteo.collina
npm/@fastify/[email protected] None 0 95.9 kB matteo.collina
npm/@fastify/[email protected] Transitive: environment +2 63.6 kB matteo.collina
npm/@fastify/[email protected] None +1 176 kB kibertoad
npm/@fastify/[email protected] None 0 42.3 kB gurgunday
npm/@fastify/[email protected] network 0 179 kB climba03003
npm/@fastify/[email protected] None 0 27.4 kB matteo.collina
npm/@fastify/[email protected] network +1 71.4 kB matteo.collina
npm/@fastify/[email protected] None +1 331 kB matteo.collina
npm/@fastify/[email protected] None 0 16.4 kB climba03003
npm/@fastify/[email protected] None +2 112 kB matteo.collina
npm/@mgcrea/[email protected] None 0 27.2 kB mgcrea
npm/@octokit/[email protected] None +1 14.3 kB gr2m, kfcampbell, nickfloyd, ...1 more
npm/@types/[email protected] None 0 13.5 kB types
npm/@types/[email protected] None 0 1.77 kB types
npm/@types/[email protected] None +1 19.2 kB types
npm/@types/[email protected] None 0 21.2 kB types
npm/[email protected] environment, filesystem, network, shell 0 1.63 MB manast
npm/[email protected] None 0 2.13 MB victorquinn
npm/[email protected] filesystem, shell +1 49.2 kB tjholowaychuk
npm/[email protected] environment, filesystem +1 6.81 MB gustavohenke
npm/[email protected] environment 0 448 kB eemeli

🚮 Removed packages: npm/[email protected]), npm/[email protected]), npm/[email protected])

View full report↗︎

Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Install scripts npm/[email protected]
  • Install script: install
  • Source: node-pre-gyp install --fallback-to-build
🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants