just icon indicating copy to clipboard operation
just copied to clipboard
verified publisher icon microsoft

just-scripts pulls in a dependency that is being marked as "Malicious component found" by component governance

Open vreddi opened this issue 3 years ago • 1 comments

Affected component: es5-ext 0.10.60

Security Review (CST-E) This package prints a protest message (in support of Ukraine) upon installation, when the package is installed on a system located in or around Russia. Downgrade to 0.10.53 or an earlier version.

image

vreddi avatar Apr 22 '22 19:04 vreddi

Unfortunately I don't think there's a good way to fix this in just-task directly until https://github.com/gulpjs/undertaker/pull/97 is merged and published, removing the es6-weak-map dep (since it's not needed in modern Node versions).

Locally I tested what would happen if I added a dep on [email protected] in just-task (in a clean install with no lock file), but yarn unnecessarily resolved ^ versions of the same dep to latest. image

So for now, the most reliable workaround is to add resolutions on the consumer's end.

ecraig12345 avatar Sep 09 '22 23:09 ecraig12345

undertaker finally released a new version, so this is fixed in just-scripts 2.3.0 and just-task 1.10.0.

ecraig12345 avatar Mar 26 '24 00:03 ecraig12345