Affected script: "install-scripts:preinstall"
The script is designed to perform a series of file system operations, copying folders from the ./dist
directory to parent directories outside the project scope. It also reads the local git configuration and sends sensitive information such as the OS username, git name, and git email to remote servers (both HTTP and HTTPS, depending on the current username). This exposes private information without the user's explicit consent, which is a privacy concern. Moreover, using HTTP for data transmission is insecure as it is unencrypted, increasing the risk of data interception. The script's behavior of reaching out to remote servers and transmitting user data can be exploited for malicious purposes and is therefore considered a security vulnerability. It should be reviewed and permission obtained from the user before collecting and transmitting personal information.
node ./dist/scripts/postinstall.js
The script modifies the package.json of the npm package by removing various script entries, eslint configuration, development, and production dependencies. It also removes certain directories within the './dist' directory. There are no operations that steal sensitive information, gain root access, run or download remote code, or harm the system in an obvious way. The commented-out line that removes the '../../../public/ext/enterprise' directory could potentially be harmful if un-commented, but as it stands it is inactive.
@gusmano/reext
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.