Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the "name" field is always required in package.json, so this can't just be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What would be involved to rename the package to something like resolve-monorepo-symlink-test? In saying that, I think the posibility of a malicous person would simply deploy a new package with the new name, so this would be a temporary fix potentially. Unfortunately the scanner I used was AWS Inspector which I would think is widely used, so this is probably affecting many people as indicated with all the previous open issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I certainly could - but then people might not realize that their scanner doesn't actually understand how npm packages work, and might make the mistake of thinking it's helping their security.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think people might understand but a simple rename might save them lots of time explaining it's a false positive if they work in a medium/big company where such scans are heavily used.
I adapted the PR with the renaming. Up to you @ljharb :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ljharb i totally get where you are coming from. However it's not the internal discussion that is difficult, but it's to the 30 different customers, many from large enterprises who are using our docker packages.
We dont have the access to the right people, nor the bandwidth to explain they should ignore their security scanner. This means they are not deploying at all. It's quite a difficult situation where we are contemplating forking this package to address the issue. Obviously this is insane!