-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Indirect dependency on es5-ext: flagged as malicious by some security scanners #595
Comments
Thanks for the heads up, but as you said, there are many packages depending on es5-ext, and the issue should be fixed upstream. |
@bcherny Actually, what I was trying to say was that showing colored debug messages in the console is nice but it's not part of the core functionality of this package and this file is the only place that imports By removing the dependency to |
This package indirectly depends on es5-ext (via
cli-color
by the same author).es5-ext
has a post-install script that does something unrelated to the package. Luckily, it is currently harmless. However, it may or may not escalate to something more serious in the future. As such, some security scanners are flaggingjson-schema-to-typescript
and its dependents as unsafe.Here are some examples:
When
json-schema-to-typescript
is installed withsafe-npm
, it shows a scary prompt:Running
npx npq install es5-ext --dry-run
shows the following warning message:There are more reports in the
es5-ext
repository indicating thates5-ext
has been flagged by other security scanners.Leaving aside the politics and the unfortunate circumstances that led to this situation, the (indirect) dependency can cause complications when using
json-schema-to-typescript
. That is especially problematic in cases where users have limited control over security scanners or when whitelistinges5-ext
isn't an option.I don't know to what extent the author or contributors of
json-schema-to-typescript
view this as an issue, nor do I have a specific solution in mind but I wanted to highlight this as a potential concern and raise awareness.The text was updated successfully, but these errors were encountered: