Indirect dependency on es5-ext: flagged as malicious by some security scanners

[fardjad]

This package indirectly depends on es5-ext (via cli-color by the same author). es5-ext has a post-install script that does something unrelated to the package. Luckily, it is currently harmless. However, it may or may not escalate to something more serious in the future. As such, some security scanners are flagging json-schema-to-typescript and its dependents as unsafe.

Here are some examples:

When json-schema-to-typescript is installed with safe-npm, it shows a scary prompt:

(socket) [email protected] contains risks:
  Install scripts - Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
  Protestware/Troll package - This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Running npx npq install es5-ext --dry-run shows the following warning message:

npx npq install es5-ext --dry-run
⚠ Supply Chain Security
  ✔ Checking for known vulnerabilities
  ✔ Verifying registry signatures for package
  ✖ Verifying package provenance
  ✔ Identifying package author...
✔ Package Health
  ✔ Checking for typosquatting
  ✔ Checking availability of a LICENSE
  ✔ Checking package maturity
⚠ Malware Detection
  ✖ Checking package for pre/post install scripts
  ✔ Identifying package repository...
  ✔ Detecting expired domains for authors account...
  ✔ Checking package download popularity

Detected possible issues with the following packages:
  [es5-ext@latest]
    - Unable to verify provenance: the package was published without any attestations.
    - detected a possible malicious intent script, act carefully: postinstall:  node -e "try{require('./_postinstall')}catch(e){}" || exit 0

There are more reports in the es5-ext repository indicating that es5-ext has been flagged by other security scanners.

Leaving aside the politics and the unfortunate circumstances that led to this situation, the (indirect) dependency can cause complications when using json-schema-to-typescript. That is especially problematic in cases where users have limited control over security scanners or when whitelisting es5-ext isn't an option.

I don't know to what extent the author or contributors of json-schema-to-typescript view this as an issue, nor do I have a specific solution in mind but I wanted to highlight this as a potential concern and raise awareness.

[bcherny]

Thanks for the heads up, but as you said, there are many packages depending on es5-ext, and the issue should be fixed upstream.

[fardjad]

but as you said, there are many packages depending on es5-ext

@bcherny Actually, what I was trying to say was that showing colored debug messages in the console is nice but it's not part of the core functionality of this package and this file is the only place that imports cli-color (and cli-color is the only dependency of this project that pulls es5-ext).

By removing the dependency to cli-color or replacing it with another module such as this, this issue can be "fixed". I can try and submit a small PR with the changes if that's something you'd be open to do.