Affected script: "install-scripts:post-install-cmd"
The script uses Phive to install a package and it comes with several concerning flags. Specifically, "--force-accept-unsigned" and "--trust-gpg-keys" can potentially expose the system to vulnerabilities.
The "--force-accept-unsigned" means it will accept and install packages that are not signed. Unsigned packages have not been verified by a trusted source and might contain malware or other harmful executables.
The "--trust-gpg-keys" flag means it will trust these GPG keys without verification. If these GPG keys were compromised, the system could install malicious packages. The utilization of these flags bypasses some important security measures, hence it can be a major security vulnerability.
atoolo/resource-loader
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|