contentful.js icon indicating copy to clipboard operation
contentful.js copied to clipboard

Published 20 hours ago verified publisher icon contentful

post install script makes package seem insecure

Open Oatelaus opened this issue 2 years ago • 0 comments

The post install script here makes any package which requires this package insecure by proxy, meaning contentful-export, contentful-import etc will all cause issues when being used in a pipeline with a security scanning tool. As seen here:

  • https://socket.dev/npm/package/contentful/overview/9.1.33

  • https://socket.dev/npm/issue/installScripts

The postinstall script here is "harmless", but there's good reason for this rule being enforced and this package will weaken any project that it's used within. If I were to install this package and ignore the warning, every update I would need to re-verify the code within this repository around the post-installation script as it runs outside of regular application runtimes.

I believe there must be a better way to communicate updates to developers.

Oatelaus avatar Aug 03 '22 13:08 Oatelaus