Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add elykia elykia-img elykia-video #323

Closed
wants to merge 1 commit into from
+12 −0
Closed

feat: add elykia elykia-img elykia-video #323

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@
"@douyinfe",
"@eggjs",
"@electron",
"@elykia",
"@elykia-img",
"@elykia-video",
Comment on lines +75 to +77
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Security Concern: Recently Published Packages with Large Sizes

These packages raise several red flags:

  • All packages are very recently published (2 days to 12 minutes ago)
  • Unusually large package sizes (1.2MB, 97.7MB, 181.5MB) for packages with no dependencies
  • All maintained by the same new account "[email protected]"
  • Using wildcard versions (*) which is risky for untrusted packages

Recommend:

  • Remove these packages from the whitelist until proper security review
  • Investigate the package contents and publisher's reputation
  • If needed, specify fixed versions instead of wildcards after verification
🔗 Analysis chain

Verify new @Elykia scopes

The new scopes follow the correct alphabetical order and format, but please verify these are legitimate and trusted package scopes before allowing them in the whitelist.

Let me try a different approach to verify these packages.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify legitimacy of new elykia scopes
# Check if these scopes exist on npm registry
npm view @elykia
npm view @elykia-img  
npm view @elykia-video

Length of output: 905

Script:

#!/bin/bash
# Check npm registry directly for these packages without @ symbol
npm view elykia
npm view elykia-img
npm view elykia-video

# Also search for any references to these packages in the codebase
rg -i "elykia" -A 2 -B 2

Length of output: 1877

"@emotion",
"@ephox",
"@esbuild-plugins",
Expand Down Expand Up @@ -5245,6 +5248,15 @@
"elliptic": {
"version": "*"
},
"elykia": {
"version": "*"
},
"elykia-img": {
"version": "*"
},
"elykia-video": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

不能用来当做免费的资源库使用。

"version": "*"
},
Comment on lines +5251 to +5259
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider restricting version ranges

The packages are added with wildcard versions (*). Consider restricting to specific version ranges to prevent potential security issues from untrusted versions.

-    "elykia": {
-      "version": "*"
-    },
-    "elykia-img": {
-      "version": "*" 
-    },
-    "elykia-video": {
-      "version": "*"
-    },
+    "elykia": {
+      "version": "^1.0.0"
+    },
+    "elykia-img": {
+      "version": "^1.0.0"
+    }, 
+    "elykia-video": {
+      "version": "^1.0.0"
+    },

Committable suggestion skipped: line range outside the PR's diff.

"emailjs": {
"version": "*"
},
Expand Down
Loading