just-scripts pulls in a dependency that is being marked as "Malicious component found" by component governance
vreddi opened this issue · 2 comments
Affected component:
es5-ext
0.10.60
Security Review (CST-E)
This package prints a protest message (in support of Ukraine) upon installation, when the package is installed on a system located in or around Russia. Downgrade to 0.10.53 or an earlier version.
Unfortunately I don't think there's a good way to fix this in just-task directly until gulpjs/undertaker#97 is merged and published, removing the es6-weak-map dep (since it's not needed in modern Node versions).
Locally I tested what would happen if I added a dep on es5-ext@0.10.53 in just-task (in a clean install with no lock file), but yarn unnecessarily resolved ^ versions of the same dep to latest.
So for now, the most reliable workaround is to add resolutions on the consumer's end.
undertaker finally released a new version, so this is fixed in just-scripts 2.3.0 and just-task 1.10.0.