Breaking: Simplify dependencies, support node 14+ #2
Conversation
Socket Security Pull Request ReportDependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again. 📜 Install scriptsInstall scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts. Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
😵💫 Bin script confusionThis package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack Consider removing one of the conflicting packages. Packages should only export bin scripts with their name
|
| Package | Eval Type | Location | Source |
|---|---|---|---|
| [email protected] (upgraded) | Function | build/utils.js | package.json via [email protected] |
| [email protected] (added) | Function | dist/js-yaml.js | package.json via [email protected] |
| [email protected] (added) | Function | dist/js-yaml.js | package.json via [email protected] |
| [email protected] (added) | Function | lib/js-yaml/type/js/function.js | package.json via [email protected] |
| [email protected] (added) | Function | lib/js-yaml/type/js/function.js | package.json via [email protected] |
| [email protected] (upgraded) | Function | dist/shared/loadConfigFile.js | package.json via [email protected] |
| [email protected] (upgraded) | Function | dist/shared/loadConfigFile.js | package.json via [email protected] |
| @sinonjs/[email protected] (added) | eval | src/fake-timers-src.js | package.json via [email protected] |
⚠️ New author
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.
Pull request report summary
| Issue | Status |
|---|---|
| Install scripts | |
| Native code | ✅ 0 issues |
| Bin script confusion | |
| Bin script shell injection | ✅ 0 issues |
| Shell access | ✅ 0 issues |
| Uses eval | |
| Unresolved require | ✅ 0 issues |
| Invalid package.json | ✅ 0 issues |
| HTTP dependency | ✅ 0 issues |
| Git dependency | ✅ 0 issues |
| GitHub dependency | ✅ 0 issues |
| New author | |
| Potential typo squat | ✅ 0 issues |
| Known Malware | ✅ 0 issues |
| Telemetry | ✅ 0 issues |
| Protestware/Troll package | ✅ 0 issues |
| AI detected malware | ✅ 0 issues |
Bot Commands
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] [email protected]
@SocketSecurity ignore [email protected]@SocketSecurity ignore [email protected]@SocketSecurity ignore [email protected]@SocketSecurity ignore [email protected]@SocketSecurity ignore [email protected]
Powered by socket.dev
Closes #1
One of the largest dependencies that Storybook installs in user projects is
core-js, and one of the reasons it does so is because of this package.The changes here remove babel in exchange for building with rollup via unbuild (https://github.com/unjs/unbuild), which greatly simplifies the dependencies.
This also bumps dotenv and dotenv-expand.
This also updates jest, and adds a github workflow to replace Travis.