Skip to content

Reference to malicious package monorepo-symlink-test causing security scan to fail #288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
reify-thomas-smith opened this issue Jul 27, 2022 · 4 comments
Closed

Reference to malicious package monorepo-symlink-test causing security scan to fail #288

reify-thomas-smith opened this issue Jul 27, 2022 · 4 comments

Comments

@reify-thomas-smith
Copy link

The file test/resolver/multirepo/package.json is causing JFrog's vulnerability scanner to flag resolve because the name field is the name of a malicious package. This is definitely JFrog's fault and not resolve's, but if it's breaking for us, it's probably breaking for others.
@ljharb
Copy link
Member

ljharb commented Jul 28, 2022

Indeed; I'm glad resolve is exposing the many "security" tools out there that are broken.

A scanner that even looks at package files that are only used in development of the package, and never referenced in production, will produce lots of false positives that distract from meaningful reports.

In particular, the package has private: true, and thus has no relationship to https://www.npmjs.com/package/monorepo-symlink-test, so I'd report this to JFrog with some urgency.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Jul 28, 2022
@oscarduignan
Copy link

oscarduignan commented Aug 2, 2022
edited
Loading

@ljharb with this, could the test files be excluded from the package in npm if they don't need to be distributed? Assuming they are from looking into the package using unpkg https://unpkg.com/browse/[email protected]/test/

@ljharb
Copy link
Member

ljharb commented Aug 2, 2022

Yep! They forever do, because npm explore foo && npm install && npm test should always work.

@oscarduignan
Copy link

cool, thank you @ljharb for the quick response 🙌

@ljharb ljharb mentioned this issue May 31, 2023
Closed
This was referenced Jun 14, 2023
Closed
Closed
@ljharb ljharb mentioned this issue Jun 21, 2023
Closed
This was referenced Sep 1, 2023
Closed
Closed
Closed
Closed
@ljharb ljharb mentioned this issue Sep 8, 2023
Closed
This was referenced Sep 18, 2023
Closed
Closed
ljharb added a commit that referenced this issue Oct 10, 2023
@ljharb
[Tests] avoid publishing "malformed package.json" test to avoid flawe…
9e6f936 
…d security scanners

Fixes #319.
Fixes #318.
Fixes #317.
Fixes #314.
Closes #313.
Fixes #312.
Fixes #311.
Fixes #310.
Fixes #309.
Fixes #306.
Fixes #305.
Fixes #304.
Fixes #303.
Fixes #291.
Fixes #288.
ljharb added a commit that referenced this issue Oct 10, 2023
@ljharb
[Tests] rename innocent test project to avoid flawed security scanners
bce4768 
    Fixes #319.
    Fixes #318.
    Fixes #317.
    Fixes #314.
    Closes #313.
    Fixes #312.
    Fixes #311.
    Fixes #310.
    Fixes #309.
    Fixes #306.
    Fixes #305.
    Fixes #304.
    Fixes #303.
    Fixes #291.
    Fixes #288.
ljharb added a commit that referenced this issue Oct 10, 2023
@ljharb
[Tests] rename innocent test project to avoid flawed security scanners
c24f451 
    Fixes #319.
    Fixes #318.
    Fixes #317.
    Fixes #314.
    Closes #313.
    Fixes #312.
    Fixes #311.
    Fixes #310.
    Fixes #309.
    Fixes #306.
    Fixes #305.
    Fixes #304.
    Fixes #303.
    Fixes #291.
    Fixes #288.
@julienv3 julienv3 mentioned this issue Nov 1, 2023
Merged
@jamie-albert jamie-albert mentioned this issue Jul 18, 2024
Merged
@octo-sts octo-sts bot mentioned this issue Dec 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @oscarduignan @reify-thomas-smith