Clear up package name confusion by joshmgross · Pull Request #514 · actions/github-script
Conversation
This repository is not the github-script package that's been identified as malware and it has never been published to the NPM registry.
Installing this repository as a repository package via NPM warns about this vulnerability due to the package.json name github-script. To clear up confusion, I've changed this name to @actions/github-script which is under our controlled Actions NPM scope.
Hello from actions/github-script! (ed2e029)
joshmgross
deleted the
joshmgross/update-package-name
branch
Before this change:
~/projects/github-script-types ❯ npm i -D @actions/github-script@github:actions/github-script added 38 packages, and audited 39 packages in 7s 1 critical severity vulnerability Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. ~/projects/github-script-types 7s ❯ npm audit # npm audit report github-script * Severity: critical Malware in github-script - https://github.com/advisories/GHSA-v9m5-8c6w-p3m5 No fix available node_modules/@actions/github-script 1 critical severity vulnerability Some issues need review, and may require choosing a different dependency.
Now:
~/projects/github-script-types ❯ npm i -D @actions/github-script@github:actions/github-script changed 1 package, and audited 39 packages in 5s found 0 vulnerabilities ~/projects/github-script-types 6s ❯ npm audit found 0 vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
2 participants