Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malicious Package detected in CI build by JFrog Xray scan #274

Open
eddyloewen opened this issue Aug 20, 2024 · 4 comments · May be fixed by #275
Open

Malicious Package detected in CI build by JFrog Xray scan #274

eddyloewen opened this issue Aug 20, 2024 · 4 comments · May be fixed by #275

Comments

@eddyloewen
Copy link

I'm using the @custom-elements-manifest/analyzer package but I can't currently install it in my CI because the team uses a JFrog Xray scan that detects a malicious package (@ext-scoped/with-export-map) inside.

https://socket.dev/npm/package/@ext-scoped/with-export-map

I'm not sure why it does that, because as far as I can see it is not a real dependecy in the project but rather just a string in the fixtures directory. But it is inside a package.json and therefore might seem legit.

I think there are two possible solutions to the problem. Rename the fake dependency to something different or exclude the fixtures directory from the bundle. Would any one of the solutions be possible to be implemented?
@thepassle
Copy link
Member

sure thing, can you make a PR? Should be an easy enough fix :)

@eddyloewen
Copy link
Author

Yea sure! Which path should we take? The rename?

@thepassle
Copy link
Member

probably exclude the fixtures, dont need that on install

@eddyloewen
Copy link
Author

Sure! 👍

@eddyloewen eddyloewen linked a pull request Aug 20, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@eddyloewen @thepassle