Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DO NOT MERGE] Testing socket security #10267

Closed
wants to merge 1 commit into from
Closed

[DO NOT MERGE] Testing socket security #10267

wants to merge 1 commit into from

Conversation

zpao
Copy link
Member

@zpao zpao commented Jul 3, 2024

Resubmitting potential supply chain attack changes

Pre-flight checklist

  • I have read the Contributing Guidelines on pull requests.
  • If this is a code change: I have written unit tests and/or added dogfooding pages to fully verify the new behavior.
  • If this is a new API or substantial change: the PR has an accompanying issue (closes #0000) and the maintainers have approved on my working plan.

Motivation

Test Plan

Test links

Deploy preview: https://deploy-preview-_____--docusaurus-2.netlify.app/

Related issues/PRs

@zpao
[DO NOT MERGE] Testing socket security
c889472 
Resubmitting potential supply chain attack changes
@zpao zpao requested review from slorber and Josh-Cena as code owners July 3, 2024 17:07
@facebook-github-bot facebook-github-bot added the CLA Signed Signed Facebook CLA label Jul 3, 2024
@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@polka/[email protected] None 0 4.48 kB lukeed
npm/[email protected] None 0 12 kB stephenmathieson

🚮 Removed packages: npm/@polka/[email protected], npm/[email protected]

View full report↗︎

@zpao zpao closed this Jul 5, 2024
@slorber
Copy link
Collaborator

slorber commented Jul 9, 2024

FYI @zpao looks like Socket does not really detect lockfile resolution problems and only report changes here

I'm also adding this "lockfile-lint" tool from Snyk founder in our lint pipeline:

npx lockfile-lint --path yarn.lock --type yarn --allowed-hosts yarn --validate-https --validate-package-names --validate-integrity --empty-hostname=false --allowed-package-name-aliases react-loadable string-width-cjs strip-ansi-cjs wrap-ansi-cjs

CleanShot 2024-07-09 at 17 06 24@2x

@slorber slorber mentioned this pull request Jul 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slorber slorber Awaiting requested review from slorber slorber is a code owner

@Josh-Cena Josh-Cena Awaiting requested review from Josh-Cena Josh-Cena is a code owner

Assignees
No one assigned
Labels
CLA Signed Signed Facebook CLA
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zpao @slorber @facebook-github-bot