The zip-it-and-ship-it package contains an unused dependency (afai could evaluate), which runs a postinstall script: ljharb-monorepo-symlink-test looks like never being used. Since the overall state of the package looks unmaintained and delicate for supply chain attacks, you might consider it for a deeper review:
⚠️ Package with lifecycle scripts detected:
Name: ljharb-monorepo-symlink-test
Version: 0.0.0
Location: /Users/myself/Code/mediathek-web/node_modules/@netlify/zip-it-and-ship-it/node_modules/resolve/test/resolver/multirepo
Scripts:
postinstall: lerna bootstrap
It has been used here:
https://github.com/netlify/build/blob/main/packages/zip-it-and-ship-it/src/resolve.js
See this commit:
d29d023
The used package is already a fork from an original monorepo-symlink-test package, which turned out to be malicious.
It would be great to reduce the dependency footprint, especially if it's such a weird old package like ljharb-monorepo-symlink-test looks like.
The zip-it-and-ship-it package contains an unused dependency (afai could evaluate), which runs a postinstall script:
ljharb-monorepo-symlink-testlooks like never being used. Since the overall state of the package looks unmaintained and delicate for supply chain attacks, you might consider it for a deeper review:It has been used here:
https://github.com/netlify/build/blob/main/packages/zip-it-and-ship-it/src/resolve.js
See this commit:
d29d023
The used package is already a fork from an original
monorepo-symlink-testpackage, which turned out to be malicious.It would be great to reduce the dependency footprint, especially if it's such a weird old package like
ljharb-monorepo-symlink-testlooks like.