Core-js Security & License Audit

Generated on Apr 27, 2024 via pnpm

Repo

Npm

Home

Package summary

issue

license

Package created

18 Jul 2013

Version published

19 Nov 2023

Maintainers

Total deps

Direct deps

License

MIT

Issues

1 high severity issue

high

core-js@3.33.3

Package uses postinstall script: "node -e "try{require('./postinstall')}catch(e){}""

via: core-js@3.33.3

Collapse

Expand

Install Script Usage

ⓘ This section contains AI-generated explanations for this package's install scripts.
We recommend overviewing the package source files before installing to your project.

The "postinstall" Script

node -e "try{require('./postinstall')}catch(e){}"

The script provided is a post-installation script likely used by the core-js library. It checks for various environment variables to determine whether to display a thank you/support banner to the user. The script handles Adblock settings, console color preferences, silent mode, and checks for continuous integration (CI) environment variables. The script writes and reads the banner information to a temporary file (core-js-banners) located in the system's temporary directory to track the banners displayed and to avoid repeatedly showing the same banner if it has been shown within the last three minutes. There is no direct evidence of functionality within this code that steals sensitive information, gains root access, runs, or downloads remote code, or harms the system. It primarily focuses on logging banner messages for promoting and supporting the core-js project. The use of standard file and output operations in Node.js does not pose a security risk in the context presented.

Licenses

MIT License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

sublicense

private-use

Cannot

hold-liable

Must

include-copyright

include-license

1 Packages, Including:

core-js@3.33.3

Direct Dependencies

All Dependencies CSV

ⓘ This is a list of core-js 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.

Name	Version	Size	License	Type	Vulnerabilities

Tree

Treemap

Frequently Asked Questions

What does core-js do?

Core-js is a modular standard library for JavaScript. It provides polyfills for ECMAScript, including promises, symbols, collections, iterators, typed arrays and various other features. Core-js also supports ECMAScript proposals and some cross-platform WHATWG / W3C features and proposals, like URL. You can choose to load only the features you need or use it without the pollution of the global namespace.

How do you use core-js?

To use Core-js, you can simply import it into your JavaScript file. Here is an example of using the whole library:

import 'core-js/actual';

Promise.resolve(42).then(it => console.log(it));  // => 42

Array.from(new Set([1, 2, 3]).union(new Set([3, 4, 5])));  // => [1, 2, 3, 4, 5]

If you only need certain features, you can import them individually:

import 'core-js/actual/promise';
import 'core-js/actual/iterator';

Promise.resolve(42).then(it => console.log(it));  // => 42

To avoid global namespace pollution, use the 'core-js-pure' import pattern:

import Promise from 'core-js-pure/actual/promise';

Promise.resolve(42).then(it => console.log(it));  // => 42

Where are the core-js docs?

The core-js documentation is available in its GitHub repository. This comprehensive guide provides deeper insights into the package's functionality, usage examples, and additional resources for better understanding and implementation.