⚠️ This package seems to have critical severity install script vulnerabilities

Affected script: "install-scripts:preinstall"

The script sends local user information (OS username, Git config name, and email) to a remote server, which could be used for malicious purposes such as phishing or unauthorized access. The use of HTTP and HTTPS requests to send sensitive data to an external endpoint is a potential security vulnerability, as this data could be intercepted or misused by an attacker.

Generated on Apr 23, 2024 via pnpm

Repo

Npm

Home

@gusmano/reext 0.0.202

React ReExt

React

Sencha

ExtJS

Components

ReExt

Package summary

issues

licenses

Package created

28 Oct 2023

Version published

9 Nov 2023

Maintainers

Total deps

116

Direct deps

License

MIT

Issues

1 critical severity issue

critical

iniparser@1.0.5

Package has no specified license

Recommendation: Check the package code and files for license information

via: iniparser@1.0.5

Collapse

Expand

4 high severity issues

high

rx-lite@4.0.8

Package uses an invalid SPDX license ("Apache License, Version 2.0")

Recommendation: Validate that the package complies with your license policy

via: inquirer-select-directory@1.2.0

@gusmano/reext@0.0.202

Package uses preinstall script: "node ./dist/scripts/preinstall.js"

via: @gusmano/reext@0.0.202

@gusmano/reext@0.0.202

Package uses postinstall script: "node ./dist/scripts/postinstall.js"

via: @gusmano/reext@0.0.202

spawn-sync@1.0.15

Package uses postinstall script: "node postinstall"

via: inquirer-select-directory@1.2.0

Collapse

Expand

1 moderate severity issue

moderate

@gusmano/reext@0.0.202

Package has no specified source code repository

via: @gusmano/reext@0.0.202

Collapse

Expand

1 low severity issue

low

rx-lite@4.0.8

Package uses a license that is not OSI approved ("Apache License, Version 2.0")

Recommendation: Read and validate the license terms

via: inquirer-select-directory@1.2.0

Collapse

Expand

Install Script Usage

ⓘ This section contains AI-generated explanations for this package's install scripts.
We recommend overviewing the package source files before installing to your project.

The "postinstall" Script

node ./dist/scripts/postinstall.js

The script appears to be a post-installation cleanup script for a Node.js project. It performs the following actions:

It imports the fs module for filesystem operations and the chalk module for colored console output.
It defines a function 'l' for logging with a special prefix and blue color.
It logs the start of the post-install script for the current package.
It reads the original package.json file from the project root.
It deletes various script entries and configurations from the package.json object, such as dev, build, test, watch, coverage, eslintConfig, devDependencies, and dependencies.
It writes the modified package.json back to the disk.
It removes the ./dist/scripts, ./dist/data, ./dist/resources, and ./dist/source directories recursively and with force.
The code comments out a potentially dangerous line that would have deleted the ../../../public/ext/enterprise directory, which could have been a vulnerability if it was trying to access directories outside of the project scope.
It logs the completion of the post-install script.
It logs the process versions. There's no immediately apparent code designed to steal sensitive information, gain root access, run or download remote code, or harm the system in any other way. The script focuses on cleaning up by removing certain scripts and directories after installation. However, it's worth noting that post-install scripts can be dangerous if they contain harmful intentions, but in this particular code snippet, no such intentions are present.

Licenses

MIT License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

sublicense

private-use

Cannot

hold-liable

Must

include-copyright

include-license

103 Packages, Including:

@gusmano/reext@0.0.202

@inquirer/figures@1.0.1

@ljharb/through@2.3.13

ansi-escapes@1.4.0

ansi-escapes@4.3.2

ansi-regex@2.1.1

ansi-regex@3.0.1

ansi-regex@5.0.1

ansi-styles@2.2.1

ansi-styles@4.3.0

base64-js@1.5.1

bl@4.1.0

buffer-from@1.1.2

buffer@5.7.1

call-bind@1.0.7

chalk@1.1.1

chalk@4.1.2

chalk@5.3.0

chardet@0.7.0

cli-cursor@1.0.2

cli-cursor@2.0.0

cli-cursor@3.1.0

cli-spinners@2.9.2

clone@1.0.4

color-convert@2.0.1

color-name@1.1.4

concat-stream@1.6.2

core-util-is@1.0.3

defaults@1.0.4

define-data-property@1.1.4

emoji-regex@8.0.0

es-define-property@1.0.0

es-errors@1.3.0

escape-string-regexp@1.0.5

exit-hook@1.1.1

extend@3.0.2

external-editor@1.1.1

external-editor@3.1.0

figures@2.0.0

function-bind@1.1.2

get-intrinsic@1.2.4

gopd@1.0.1

has-ansi@2.0.0

has-flag@4.0.0

has-property-descriptors@1.0.2

has-proto@1.0.3

has-symbols@1.0.3

hasown@2.0.2

iconv-lite@0.4.24

inquirer-select-directory@1.2.0

ISC License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

Cannot

hold-liable

Must

include-copyright

include-license

6 Packages, Including:

cli-width@2.2.1

cli-width@4.1.0

inherits@2.0.4

mute-stream@0.0.6

mute-stream@1.0.0

signal-exit@3.0.7

Apache License 2.0

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

sublicense

private-use

use-patent-claims

place-warranty

Cannot

hold-liable

use-trademark

Must

include-copyright

include-license

state-changes

include-notice

2 Packages, Including:

rx@4.1.0

rxjs@7.8.1

BSD 3-Clause "New" or "Revised" License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

place-warranty

Cannot

use-trademark

hold-liable

Must

include-copyright

include-license

1 Packages, Including:

ieee754@1.2.1

N/A

1 Packages, Including:

iniparser@1.0.5

Apache License, Version 2.0

Invalid

Not OSI Approved

1 Packages, Including:

rx-lite@4.0.8

BSD Zero Clause License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

sublicense

private-use

include-copyright

include-license

include-original

Cannot

hold-liable

Must

1 Packages, Including:

tslib@2.6.2

(MIT OR CC0-1.0)

Public Domain

1 Packages, Including:

type-fest@0.21.3

Direct Dependencies

All Dependencies CSV

ⓘ This is a list of @gusmano/reext 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.

Name	Version	Size	License	Type	Vulnerabilities
chalk	5.3.0	13.08 kB	MIT	prod
iniparser	1.0.5	10 kB	UNKNOWN	prod	1
inquirer-select-directory	1.2.0	12.99 kB	MIT	prod	2 1
inquirer	9.2.19	86.92 kB	MIT	prod
react-dom	18.2.0	1.04 MB	MIT	prod peer
react	18.2.0	79.25 kB	MIT	prod peer

Tree

Treemap

@gusmano/reext 0.0.202

Issues

1 critical severity issue

4 high severity issues

1 moderate severity issue

1 low severity issue

Install Script Usage

The "postinstall" Script

Licenses

MIT License

ISC License

Apache License 2.0

BSD 3-Clause "New" or "Revised" License

N/A

Apache License, Version 2.0

BSD Zero Clause License

(MIT OR CC0-1.0)

Direct Dependencies

Visualizations

Recent Versions

Scan your app for security vulnerabilities and license issues

Log into your account

Create your account

@gusmano/reext 0.0.202

Issues

1 critical severity issue

4 high severity issues

1 moderate severity issue

1 low severity issue

Install Script Usage

The "postinstall" Script

Licenses

MIT License

ISC License

Apache License 2.0

BSD 3-Clause "New" or "Revised" License

N/A

Apache License, Version 2.0

BSD Zero Clause License

(MIT OR CC0-1.0)

Direct Dependencies

Visualizations

Recent Versions

Scan your app for security vulnerabilities and license issues