8000 Update package.json by jadoonf · Pull Request #29 · jadoonf/sandbox · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Update package.json #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
8000
from
Open

Update package.json #29

wants to merge 2 commits into from

Conversation

jadoonf
Copy link
Owner
@jadoonf jadoonf commented Nov 4, 2023

No description provided.

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 4, 2023
edited
Loading

📊 Package size report   8%↑

File Before After
package.json 981 B 86%↑1.8 kB
Total (Includes all files) 11.0 kB 8%↑11.9 kB
Tarball size 4.1 kB 7%↑4.4 kB
Unchanged files
File Size
.github/workflows/explain.yml 736 B
.github/workflows/lstn.yml 432 B
.github/workflows/package-size-report.yml 536 B
.github/workflows/scanners.yml 1.0 kB
.github/workflows/test/lstn-cli-workflow.yml 2.0 kB
.github/workflows/test/lstn-dynamic.yml 378 B
.github/workflows/test/lstn-policy.yml 334 B
index.js 28 B
README.md 3.4 kB
rules.yml 1.2 kB

🤖 This report was automatically generated by pkg-size-action

@github-actions GitHub Actions
Copy link
github-actions bot commented Nov 4, 2023

listen.dev ∙ Security Report

critical 🚨 4 medium ⚠️ 5 low 🔷 1

🔍 The following behaviors have been detected in the dependency tree during installation

🚨 Critical severity
📑🔀 2 categories

  • 📑 Metadata ∙ 1 package
    • 📦 chokidar@3.5.3 ∙ 1 occurrence ∙ 1 kind of issue ∙ open 🔗
      • This package has inconsistent dependencies in the tarball's package.json ∙ 1 total occurrence
        Name Version Transitive Dependency Occurrences More
        chokidar 3.5.3 1 🔗
  • 🔀 Typosquatting ∙ 3 packages
    • 📦 jq@1.7.2 ∙ 1 occurrence ∙ 1 kind of issue ∙ open 🔗
      • The name of this package closely resembles other package names ("q") which are popular on NPM: it might be a typosquatting attempt ∙ 1 total occurrence
        Name Version Transitive Dependency Occurrences More
        jq 1.7.2 1 🔗
    • 📦 ink@3.2.0 ∙ 1 occurrence ∙ 1 kind of issue ∙ open 🔗
      • The name of this package closely resembles other package names ("ini") which are popular on NPM: it might be a typosquatting attempt ∙ 1 total occurrence
        Name Version Transitive Dependency Occurrences More
        ink 3.2.0 1 🔗
    • 📦 findit@2.0.0 ∙ 1 occurrence ∙ 1 kind of issue ∙ open 🔗
      • The name of this package closely resembles other package names ("findit2") which are popular on NPM: it might be a typosquatting attempt ∙ 1 total occurrence
        Name Version Transitive Dependency Occurrences More
        findit 2.0.0 1 🔗
⚠️ Medium severity
📡🔎 2 categories

  • 📡 Dynamic instrumentation ∙ 1 package
    • 📦 jq@1.7.2 ∙ 4 occurrences ∙ 2 kind of issues ∙ open 🔗
      • npm install spawned a process ∙ 1 total occurrence
        Name Version Transitive Dependency Occurrences More
        contextify 0.1.15 ✔️ 1 🔗
      • unexpected outbound connection destination ∙ 3 total occurrences
        Name Version Transitive Dependency Occurrences More
        contextify 0.1.15 ✔️ 3 🔗
  • 🔎 Static analysis ∙ 1 package
    • 📦 ink@3.2.0 ∙ 1 occurrence ∙ 1 kind of issue ∙ open 🔗
      • install script detected in package.json ∙ 1 total occurrence
        Name Version Transitive Dependency Occurrences More
        ink 3.2.0 1 🔗
🔷 Low severity
📑 1 category

  • 📑 Metadata ∙ 1 package
    • 📦 source-map-support@0.5.21 ∙ 1 occurrence ∙ 1 kind of issue ∙ open 🔗
      • This package version is 0.X.Y: the semver spec mandates those versions for initial development meaning that anything may change at any time and the public API of this package should not be considered stable. ∙ 1 total occurrence
        Name Version Transitive Dependency Occurrences More
        source-map-support 0.5.21 1 🔗
### 🚩 Some problems have been encountered
🔗 Package not analysed yet ∙ 30 occurrences ∙ Package not analysed yet

See docs 🔗

Powered by listen.dev

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 21, 2023

🚀 Pull Request Security Summary

Critical 🚨: 2 issues | Medium ⚠️: 4 issues | Low 🔷: 1 issue

Issues Impacting Your Code

🚨 Critical Issues Affecting Used Code (2)
⚠️ Medium Issues Affecting Unused Code (4)
🔷 Low Severity Issues (1)

For a complete security report and to adjust your alert settings, visit listen.dev.

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 21, 2023

🔐 Security Compliance Report

Critical 🚨: 2 issues | Medium ⚠️: 4 issues | Low 🔷: 1 issue

Comprehensive Risk Assessment

🚨 Critical Risk Profile (2 Issues)
⚠️ Medium External Dependency Risks (4 Issues)
🔷 Low Policy Deviations (1 Issue)

For full risk profiles and behavior analysis, access the Security Dashboard.

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 21, 2023

listen.dev Security Alert Summary

Critical 🚨: 5 | Medium ⚠️: 28 | Low 🔷: 2

Impact on Your Codebase

  • Critical: Issues that directly affect your application’s security and functionality.
  • Medium: May indirectly affect your application, possibly in production.
  • Low: Minor issues, but worth reviewing for future code quality.

Take Action

🚨 Critical Issues - Immediate Action Required (5)
  • 📦 micromatch@4.0.5: GitHub dependency detected. Fix Now
  • 📦 ws@8.14.2: Potential typosquatting attempt. Resolve Now

Please review the rest in the detailed report.

⚠️ Medium and 🔷 Low Issues - Review at Your Earliest Convenience
  • 📦 keytar@7.9.0: Possible outbound connection detected. Investigate

Complete issue list available in the full security report.

For a detailed breakdown and more actions, visit your Security Dashboard.

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 21, 2023

listen.dev Comprehensive Security Report

Critical 🚨: 5 | Medium ⚠️: 28 | Low 🔷: 2

Executive Summary

  • Critical: Immediate threat to security or compliance.
  • Medium: Potential risks that may escalate if not addressed.
  • Low: Issues that do not pose immediate risk but require attention to maintain code health.

Risk Assessment and Policy Compliance

🚨 Critical Risk Profile - Requires Urgent Attention (5)

Further details on risk sources and recommended actions in the full report.

⚠️ Medium Risk and 🔷 Low Risk - Schedule for Review

Access in-depth analysis and policy guidelines in the security dashboard.

Access the Full Security Report for detailed insights and policy management options.

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 21, 2023

listen.dev ∙ Enhanced Security Report

critical 🚨 5 medium ⚠️ 28 low 🔷 2

🔍 Enhanced Analysis of Dependency Behaviors During Installation

🚨 Critical severity - Detected Issues and Actionable Insights
🔎🔀 2 categories

  • 🔎 Static Analysis ∙ 2 packages

    • 📦 micromatch@4.0.5

      • Issue: GitHub dependency in package.json.
      • Action: Review dependency source for potential risks.
      • Details: 🔗

    • 📦 license-checker@25.0.1

      • Issue: GitHub dependency in package.json.
      • Action: Verify license compliance.
      • Details: 🔗
  • 🔀 Typosquatting Concerns ∙ 3 packages

    • 📦 ws@8.14.2

      • Issue: Name resembles "ms", "qs" (possible typosquatting).
      • Action: Confirm correct package usage.
      • Details: 🔗

    • 📦 pkg@5.8.1

      • Issue: Name resembles "pg", "pug" (possible typosquatting).
      • Action: Verify package integrity.
      • Details: 🔗

    • 📦 @types/ws@8.5.9

      • Issue: Name resembles "@types/qs" (possible typosquatting).
      • Action: Check for correct package references.
      • Details: 🔗
⚠️ Medium Severity - Observed Behaviors and Recommendations
📡🔎 2 categories

  • 📡 Dynamic Instrumentation ∙ 2 packages

    • 📦 keytar@7.9.0

      • Issues: Process spawn during install, unexpected outbound connections.
      • Action: Review network activity for security implications.
      • Details: 🔗

    • 📦 @types/keytar@4.4.2

      • Issues: Process spawn during install, unexpected outbound connections.
      • Action: Monitor for abnormal behavior.
      • Details: 🔗
  • 🔎 Static Analysis ∙ Extended Insights for 14 packages

    Detailed analysis and actions for 14 packages with install script concerns.

🔷 Low Severity - Minor Alerts and Observations
📑 1 category

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 21, 2023

listen.dev Comprehensive Security Compliance Report

Critical 🚨: 5 | Medium ⚠️: 28 | Low 🔷: 2

Critical Security Risks

🚨 Critical Security Risks (5)
  • 📦 micromatch@4.0.5
    • Issue: GitHub dependency found in package.json.
    • Risk: Introduces risk of pulling unsecured updates directly from GitHub.
    • Action: Evaluate the necessity of this direct dependency or switch to a version hosted on a secure package registry.
  • 📦 ws@8.14.2
    • Issue: Package name closely resembles popular NPM packages.
    • Risk: High risk of incorporating a malicious package due to name confusion (typosquatting).
    • Action: Verify the authenticity of the package and replace with a verified package if necessary.

Medium Security Risks

⚠️ Medium Security Risks (28)
  • 📦 keytar@7.9.0
    • Issue: Multiple unexpected outbound connections during installation.
    • Risk: Potential indication of data exfiltration or command and control communication.
    • Action: Investigate the connections to ensure they are legitimate and necessary for the package's functionality.

Low Security Risks

🔷 Low Security Risks (2)
  • 📦 webpack@5.89.0
    • Issue: Discrepancy in devDependencies within the package's package.json.
    • Risk: Could lead to build inconsistencies and potential for missing or outdated development dependencies.
    • Action: Verify and update the devDependencies to match the stable and secure versions needed.

Review the provided details to guide your security team's actions. Ensure all findings are investigated and resolved in line with your company's security policies.

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 21, 2023

listen.dev Security Alert for Your Review

Critical 🚨: 5 | Medium ⚠️: 28 | Low 🔷: 2

Critical Issues

🚨 Critical Issues Affecting Your Code (5)
  • 📦 micromatch@4.0.5: Detected GitHub dependency.
    Risk: Can introduce unvetted code leading to potential vulnerabilities.
    Action: Verify the repository for the latest secure version or consider a safer alternative.
  • 📦 ws@8.14.2: Similar name to popular NPM packages (ms, qs).
    Risk: Potential typosquatting could lead to malicious code execution.
    Action: Confirm the integrity of the package, or replace it with the correct, intended package.

Medium Severity

⚠️ Medium Severity Issues (28)
  • 📦 keytar@7.9.0: Unexpected outbound connections during installation.
    Risk: Could indicate a security risk such as data leakage or unauthorized access.
    Action: Review the package's network activity, check for open issues regarding this behavior, and assess the need for this package in your project.

Low Severity

🔷 Low Severity Issues (2)
  • 📦 webpack@5.89.0: Inconsistent devDependencies.
    Risk: Inconsistencies can lead to unexpected behavior during development or build processes.
    Action: Align the devDependencies in your package.json with the project's requirements, and ensure all developers are using the same versions.

Each issue should be reviewed and addressed according to its impact on your project. Please ensure to follow your organization's guidelines for vulnerability resolution.

@jadoonf
Copy link
Owner Author
jadoonf commented Nov 21, 2023

listen.dev ∙ Enhanced Security Report

critical 🚨 5 medium ⚠️ 28 low 🔷 2

🔍 Enhanced Analysis of Dependency Behaviors During Installation

🚨 Critical severity - Detected Issues and Actionable Insights
🔎🔀 2 categories

  • 🔎 Static Analysis ∙ 2 packages

    • 📦 micromatch@4.0.5

      • Issue: GitHub dependency in package.json.
      • Action: Review dependency source for potential risks.
      • Details: 🔗

    • 📦 license-checker@25.0.1

      • Issue: GitHub dependency in package.json.
      • Action: Verify license compliance.
      • Details: 🔗
  • 🔀 Typosquatting Concerns ∙ 3 packages

    • 📦 ws@8.14.2

      • Issue: Name resembles "ms", "qs" (possible typosquatting).
      • Action: Confirm correct package usage.
      • Details: 🔗

    • 📦 pkg@5.8.1

      • Issue: Name resembles "pg", "pug" (possible typosquatting).
      • Action: Verify package integrity.
      • Details: 🔗

    • 📦 @types/ws@8.5.9

      • Issue: Name resembles "@types/qs" (possible typosquatting).
      • Action: Check for correct package references.
      • Details: 🔗
⚠️ Medium Severity - Observed Behaviors and Recommendations
📡🔎 2 categories

  • 📡 Dynamic Instrumentation ∙ 2 packages

    • 📦 keytar@7.9.0

      • Issues: Process spawn during install, unexpected outbound connections.
      • Action: Review network activity for security implications.
      • Details: 🔗

    • 📦 @types/keytar@4.4.2

      • Issues: Process spawn during install, unexpected outbound connections.
      • Action: Monitor for abnormal behavior.
      • Details: 🔗
  • 🔎 Static Analysis ∙ Extended Insights for 14 packages

    Detailed analysis and actions for 14 packages with install script concerns.

🔷 Low Severity - Minor Alerts and Observations
📑 1 category

  • 📑 Metadata Considerations ∙ 2 packages

    • 📦 webpack@5.89.0

      • Issue: Inconsistent devDependencies in tarball's package.json.
      • Action: Verify dependency accuracy.
      • Details: 🔗

    • 📦 source-map-support@0.5.21

      • Issue: Package version indicates initial development phase.
      • Action: Assess stability and API changes.
      • Details: 🔗

Powered by listen.dev

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jadoonf
0