just-scripts pulls in a dependency that is being marked as "Malicious component found" by component governance

[vreddi]

Affected component: es5-ext 0.10.60

Security Review (CST-E) This package prints a protest message (in support of Ukraine) upon installation, when the package is installed on a system located in or around Russia. Downgrade to 0.10.53 or an earlier version.

[ecraig12345]

Unfortunately I don't think there's a good way to fix this in just-task directly until https://github.com/gulpjs/undertaker/pull/97 is merged and published, removing the es6-weak-map dep (since it's not needed in modern Node versions).

Locally I tested what would happen if I added a dep on [email protected] in just-task (in a clean install with no lock file), but yarn unnecessarily resolved ^ versions of the same dep to latest.

So for now, the most reliable workaround is to add resolutions on the consumer's end.

[ecraig12345]

undertaker finally released a new version, so this is fixed in just-scripts 2.3.0 and just-task 1.10.0.