Skip to content

Conversation

@markerikson
Copy link

This is a draft PR for visibility.

When I implemented our Chromium support for React DevTools via backend "routines" (as described in https://blog.replay.io/how-we-rebuilt-react-devtools-with-replay-routines ), I forked the React DevTools to make a number of internal changes, such as saving operations data separately and persisting "marker" annotations to Replay's backend.

Along the way I also tried to shrink down the size of the JS bundle artifacts that we were evaluating in our backend paused browser instances. They were originally around 500K+, and I was able to knock off about 60-70K of that by removing code that's irrelevant for our use case.

mondaychen pushed a commit to facebook/react that referenced this pull request Feb 9, 2023
…bundle size (#26122)

<!--
  Thanks for submitting a pull request!
We appreciate you spending the time to work on these changes. Please
provide enough information so that others can review your pull request.
The three fields below are mandatory.

Before submitting a pull request, please make sure the following is
done:

1. Fork [the repository](https://github.com/facebook/react) and create
your branch from `main`.
  2. Run `yarn` in the repository root.
3. If you've fixed a bug or added code that should be tested, add tests!
4. Ensure the test suite passes (`yarn test`). Tip: `yarn test --watch
TestName` is helpful in development.
5. Run `yarn test --prod` to test in the production environment. It
supports the same options as `yarn test`.
6. If you need a debugger, run `yarn debug-test --watch TestName`, open
`chrome://inspect`, and press "Inspect".
7. Format your code with
[prettier](https://github.com/prettier/prettier) (`yarn prettier`).
8. Make sure your code lints (`yarn lint`). Tip: `yarn linc` to only
check changed files.
  9. Run the [Flow](https://flowtype.org/) type checks (`yarn flow`).
  10. If you haven't already, complete the CLA.

Learn more about contributing:
https://reactjs.org/docs/how-to-contribute.html
-->

## Summary

This PR:

- Replaces the existing usages of methods from the `semver` library in
the React DevTools source with an inlined version based on
https://www.npmjs.com/package/semver-compare.

This appears to drop the unminified bundle sizes of 3 separate
`react-devtools-extensions` build artifacts by about 50K:


![image](https://user-images.githubusercontent.com/1128784/217326947-4c26d1be-d834-4f77-9e6e-be2d5ed0954d.png)


## How did you test this change?

I was originally working on [a fork of React
DevTools](replayio#2) for use with
https://replay.io , specifically our integration of the React DevTools
UI to show the React component tree while users are debugging a recorded
application.

As part of the dev work on that fork, I wanted to shrink the bundle size
of the extension's generated JS build artifacts. I noted that the
official NPM `semver` library was taking up a noticeable chunk of space
in the bundles, and saw that it's only being used in a handful of places
to do some very simple version string comparisons.

I was able to replace the `semver` imports and usages with a simple
alternate comparison function, and confirmed via hands-on checks and
console logging that the checks behaved the same way.

Given that, I wanted to upstream this particular change to help shrink
the real extension's bundle sizes.

I know that it's an extension, so bundle size isn't _as_ critical a
concern as it would be for a pure library. But, smaller download sizes
do benefit all users, and that also includes sites like CodeSandbox and
Replay that are using the React DevTools as a library as well.

I'm happy to tweak this PR if necessary.  Thanks!
github-actions bot pushed a commit to facebook/react that referenced this pull request Feb 9, 2023
…bundle size (#26122)

<!--
  Thanks for submitting a pull request!
We appreciate you spending the time to work on these changes. Please
provide enough information so that others can review your pull request.
The three fields below are mandatory.

Before submitting a pull request, please make sure the following is
done:

1. Fork [the repository](https://github.com/facebook/react) and create
your branch from `main`.
  2. Run `yarn` in the repository root.
3. If you've fixed a bug or added code that should be tested, add tests!
4. Ensure the test suite passes (`yarn test`). Tip: `yarn test --watch
TestName` is helpful in development.
5. Run `yarn test --prod` to test in the production environment. It
supports the same options as `yarn test`.
6. If you need a debugger, run `yarn debug-test --watch TestName`, open
`chrome://inspect`, and press "Inspect".
7. Format your code with
[prettier](https://github.com/prettier/prettier) (`yarn prettier`).
8. Make sure your code lints (`yarn lint`). Tip: `yarn linc` to only
check changed files.
  9. Run the [Flow](https://flowtype.org/) type checks (`yarn flow`).
  10. If you haven't already, complete the CLA.

Learn more about contributing:
https://reactjs.org/docs/how-to-contribute.html
-->

## Summary

This PR:

- Replaces the existing usages of methods from the `semver` library in
the React DevTools source with an inlined version based on
https://www.npmjs.com/package/semver-compare.

This appears to drop the unminified bundle sizes of 3 separate
`react-devtools-extensions` build artifacts by about 50K:

![image](https://user-images.githubusercontent.com/1128784/217326947-4c26d1be-d834-4f77-9e6e-be2d5ed0954d.png)

## How did you test this change?

I was originally working on [a fork of React
DevTools](replayio#2) for use with
https://replay.io , specifically our integration of the React DevTools
UI to show the React component tree while users are debugging a recorded
application.

As part of the dev work on that fork, I wanted to shrink the bundle size
of the extension's generated JS build artifacts. I noted that the
official NPM `semver` library was taking up a noticeable chunk of space
in the bundles, and saw that it's only being used in a handful of places
to do some very simple version string comparisons.

I was able to replace the `semver` imports and usages with a simple
alternate comparison function, and confirmed via hands-on checks and
console logging that the checks behaved the same way.

Given that, I wanted to upstream this particular change to help shrink
the real extension's bundle sizes.

I know that it's an extension, so bundle size isn't _as_ critical a
concern as it would be for a pure library. But, smaller download sizes
do benefit all users, and that also includes sites like CodeSandbox and
Replay that are using the React DevTools as a library as well.

I'm happy to tweak this PR if necessary.  Thanks!

DiffTrain build for [78d2e9e](78d2e9e)
[View git log for this commit](https://github.com/facebook/react/commits/78d2e9e2a894a7ea9aa3f9faadfc4c6038e86a75)
@markerikson markerikson force-pushed the feature/replay-react-devtools branch from a34bbbe to 8e163ad Compare March 15, 2023 17:12
@bvaughn
Copy link

bvaughn commented Oct 19, 2023

Note for future me:

Building

I'm running Node v18 and the build:chrome step failed for me with an ERR_OSSL_EVP_UNSUPPORTED error. The work around was to use the --openssl-legacy-provider flag.

 NODE_OPTIONS=--openssl-legacy-provider yarn build:chrome

Releasing

Then I had to copy the contents of <react-root>/packages/react-devtools-extension/chrome/build/unpacked/build/react_devtools_backend_compact.js into <replay-root>/src/ui/components/SecondaryToolbox/react-devtools/react_devtools_backend.raw.js

@bvaughn bvaughn force-pushed the feature/replay-react-devtools branch from 3a87e14 to 6732942 Compare October 20, 2023 14:49
jerrydev0927 added a commit to jerrydev0927/react that referenced this pull request Jan 5, 2024
…bundle size (#26122)

<!--
  Thanks for submitting a pull request!
We appreciate you spending the time to work on these changes. Please
provide enough information so that others can review your pull request.
The three fields below are mandatory.

Before submitting a pull request, please make sure the following is
done:

1. Fork [the repository](https://github.com/facebook/react) and create
your branch from `main`.
  2. Run `yarn` in the repository root.
3. If you've fixed a bug or added code that should be tested, add tests!
4. Ensure the test suite passes (`yarn test`). Tip: `yarn test --watch
TestName` is helpful in development.
5. Run `yarn test --prod` to test in the production environment. It
supports the same options as `yarn test`.
6. If you need a debugger, run `yarn debug-test --watch TestName`, open
`chrome://inspect`, and press "Inspect".
7. Format your code with
[prettier](https://github.com/prettier/prettier) (`yarn prettier`).
8. Make sure your code lints (`yarn lint`). Tip: `yarn linc` to only
check changed files.
  9. Run the [Flow](https://flowtype.org/) type checks (`yarn flow`).
  10. If you haven't already, complete the CLA.

Learn more about contributing:
https://reactjs.org/docs/how-to-contribute.html
-->

## Summary

This PR:

- Replaces the existing usages of methods from the `semver` library in
the React DevTools source with an inlined version based on
https://www.npmjs.com/package/semver-compare.

This appears to drop the unminified bundle sizes of 3 separate
`react-devtools-extensions` build artifacts by about 50K:

![image](https://user-images.githubusercontent.com/1128784/217326947-4c26d1be-d834-4f77-9e6e-be2d5ed0954d.png)

## How did you test this change?

I was originally working on [a fork of React
DevTools](replayio/react#2) for use with
https://replay.io , specifically our integration of the React DevTools
UI to show the React component tree while users are debugging a recorded
application.

As part of the dev work on that fork, I wanted to shrink the bundle size
of the extension's generated JS build artifacts. I noted that the
official NPM `semver` library was taking up a noticeable chunk of space
in the bundles, and saw that it's only being used in a handful of places
to do some very simple version string comparisons.

I was able to replace the `semver` imports and usages with a simple
alternate comparison function, and confirmed via hands-on checks and
console logging that the checks behaved the same way.

Given that, I wanted to upstream this particular change to help shrink
the real extension's bundle sizes.

I know that it's an extension, so bundle size isn't _as_ critical a
concern as it would be for a pure library. But, smaller download sizes
do benefit all users, and that also includes sites like CodeSandbox and
Replay that are using the React DevTools as a library as well.

I'm happy to tweak this PR if necessary.  Thanks!

DiffTrain build for [78d2e9e2a894a7ea9aa3f9faadfc4c6038e86a75](facebook/react@78d2e9e)
[View git log for this commit](https://github.com/facebook/react/commits/78d2e9e2a894a7ea9aa3f9faadfc4c6038e86a75)
rickhanlonii and others added 22 commits April 26, 2024 16:03
…#28955)

## Summary

I'm looking at cleaning up some unnecessary manual property flattening
in React Native and wanted to verify this behaviour is working as
expected, where properties from nested objects will always overwrite
properties from the base object.

## How did you test this change?

Unit tests
Move useMemoCache hook to react/compiler-runtime

For Meta-internal purposes, we keep the export on `react` itself to
reduce churn.
Enables the Reanimated flag automatically if we find reanimated in the
user's list of plugins

ghstack-source-id: 20e83374612362a30d6c8cc7a903d9320e8cc23a
Pull Request resolved: facebook/react-forget#2915
ghstack-source-id: 79f3319d87909d05731ef821d0ffe86cb01b0432
Pull Request resolved: facebook/react-forget#2920
Show compiling status message and not just block
UI.

ghstack-source-id: 67761c5d32216e105c4aa6404dfa07d76ae22583
Pull Request resolved: https://github.com/facebook/react-forget/pull/2921
ghstack-source-id: f05222073be785b77346c4e8760bf4d0bb4d658e
Pull Request resolved: https://github.com/facebook/react-forget/pull/2922
Add a configurable list of known incompatible libraries.

Check all package.jsons for any uses of known incompatible libraries and
warn if found.

ghstack-source-id: 7329e3792b57458e681780cba3140a14a9b1a60d
Pull Request resolved: https://github.com/facebook/react-forget/pull/2923
Makes it easier to extend later, if we want to add more checks.

ghstack-source-id: 6fb3435555f1b988e1a185bfda8be9418eb622c5
Pull Request resolved: https://github.com/facebook/react-forget/pull/2924
Treat MethodCalls similar to general CallExpressions and mark them
as escaping in PruneNonEscapingScopes pass.

ghstack-source-id: 3c81bdb17f58fbeef8be24e7cb363172d1867217
Pull Request resolved: https://github.com/facebook/react-forget/pull/2925
…ook#2918)

This uses the compiler runtime from `react/compiler-runtime` by default unless `compilerRuntime` is specifified in the Babel options which then imports the runtime from there. The `useMemoCache` hook is now named `c` in accordance with facebook@4508873

Unfortunately, I couldn't figure out how to import `react@beta` which already has that import as various react verstions were conflicting. If someone can figure this out it'd be fantastic. As a result, I had to update the default for the test runner to default the `compilerRuntime` option to `react` to preserve the previous behavior to import from `react`. Once upgraded to React 19, we should be able to remove that override.
To make a first time setup of the compiler truly config-less, default to
not compiling node_modules unless a user provided `sources` (advanced
option) is provided

ghstack-source-id: b0798052404d772ce6ee471e577699d4b0871d56
Pull Request resolved: facebook/react-forget#2919
When a React PR is opened CI will report large size changes. But for
critical packages like react-dom it reports always. In React 19 we moved
the build for react-dom the client reconciler from react-dom to
react-dom/client

This change adds react-dom-client artifacts for stable and oss channels
since that is originally what was being tracked. But since
react-dom/client always imports react-dom I left the original react-dom
packages as critical as well. They are small but it would be good to
keep an eye on them
)

## Summary

This PR introduces a faster version of the `addProperties` function.
This new function is basically the `diffProperties` with `prevProps` set
to `null`, propagated constants, and all the unreachable code paths
collapsed.

## How did you test this change?

I've tested this change with [the benchmark
app](https://github.com/react-native-community/RNNewArchitectureApp/tree/new-architecture-benchmarks)
and got ~4.4% improvement in the view creation time.
ghstack-source-id: bb66913e2d3c814696311371ed655f3da03d1199
Pull Request resolved: facebook/react-forget#2926
ghstack-source-id: cce73f26b7b3903b8d79b70dbc24cbee09693d81
Pull Request resolved: facebook/react-forget#2927
mvitousek and others added 25 commits May 31, 2024 14:06
Summary: jmbrown215 recently had an observation that the arguments to useState/useRef are only used when a component renders for the first time, and never afterwards. We can skip more computation that we previously could, with reactive blocks that previously recomputed values when inputs changed now only ever computing them on the first render.

ghstack-source-id: 5d044ef
Pull Request resolved: facebook#29653
Summary: This PR expands the analysis from the previous in the stack in order to also capture when a value can incorrectly change within a single render, rather than just changing between two renders. In the case where dependencies have changed and so a new value is being computed, we now compute the value twice and compare the results. This would, for example, catch when we call Math.random() in render.

The generated code is a little convoluted, because we don't want to have to traverse the generated code and substitute variable names with new ones. Instead, we save the initial value to the cache as normal, then run the computation block again and compare the resulting values to the cached ones. Then, to make sure that the cached values are identical to the computed ones, we reassign the cached values into the output variables.

ghstack-source-id: d0f11a4
Pull Request resolved: facebook#29657
…ive scopes for debugging

Summary: Using the change detection code to debug codebases that violate the rules of react is a lot easier when we have a source location corresponding to the value that has changed inappropriately. I didn't see an easy way to track that information in the existing data structures at the point of codegen, so this PR adds locations to identifiers and reactive scopes (the location of a reactive scope is the range of the locations of its included identifiers).

I'm interested if there's a better way to do this that I missed!

ghstack-source-id: aed5f7e
Pull Request resolved: facebook#29658
…k#29670)

When a component suspends with `use`, we switch to the "re-render"
dispatcher during the subsequent render attempt, so that we can reuse
the work from the initial attempt. However, once we run out of hooks
from the previous attempt, we should switch back to the regular "update"
dispatcher.

This is conceptually the same fix as the one introduced in
facebook#26232. That fix only accounted
for initial mount, but the useTransition regression test added in
f829733 illustrates that we need to
handle updates, too.

The issue affects more than just useTransition but because most of the
behavior between the "re-render" and "update" dispatchers is the same
it's hard to contrive other scenarios in a test, which is probably why
it took so long for someone to notice.

Closes facebook#28923 and facebook#29209

---------

Co-authored-by: eps1lon <[email protected]>
Eslint rules should never throw, so if we fail to parse with Babel or
Hermes, we should just ignore the error. This should fix issues such as
trying to run the eslint rule on non tsx|ts|jsx|js files, Hermes parser
not supporting certain JS syntax, etc.

I didn't add a test for this as our eslint-rule-tester config uses
hermes-eslint parser, so it wasn't possible to add a top level await as
it would crash hermes-eslint before our rule was triggered. Similarly I
couldn't add a test for non-JS files as it would not be parseable by
hermes-eslint.

Fixes facebook#29107

ghstack-source-id: 60afcdb
Pull Request resolved: facebook#29631
…ce maps from (facebook#29708)

This lets you click a stack frame on the client and see the Server
source code inline.

<img width="871" alt="Screenshot 2024-06-01 at 11 44 24 PM"
src="https://github.com/facebook/react/assets/63648/581281ce-0dce-40c0-a084-4a6d53ba1682">

<img width="840" alt="Screenshot 2024-06-01 at 11 43 37 PM"
src="https://github.com/facebook/react/assets/63648/00dc77af-07c1-4389-9ae0-cf1f45199efb">

We could do some logic on the server that sends a source map url for
every stack frame in the RSC payload. That would make the client
potentially config free. However regardless we need the config to
describe what url scheme to use since that’s not built in to the bundler
config. In practice you likely have a common pattern for your source
maps so no need to send data over and over when we can just have a
simple function configured on the client.

The server must return a source map, even if the file is not actually
compiled since the fake file is still compiled.

The source mapping strategy can be one of two models depending on if the
server’s stack traces (`new Error().stack`) are source mapped back to
the original (`—enable-source-maps`) or represents the location in
compiled code (like in the browser).

If it represents the location in compiled code it’s actually easier. You
just serve the source map generated for that file by the tooling.

If it is already source mapped it has to generate a source map where
everything points to the same location (as if not compiled) ideally with
a segment per logical ast node.
Requires facebook#29706

The strategy here is to:
- Checkout the builds/facebook-www branch
- Read the current sync'd VERSION
- Checkout out main and sync new build
- sed/{new version string}/{old version string}
- Run git status, skip sync if clean
- Otherwise, sed/{old version string}/{new version string} and push
commit

This means that:
- We're using the real version strings from the builds
- We are checking the last commit on the branch for the real last
version
- We're skipping any commits that won't result in changes
- ???
- Profit!
Host Components can exist as four semantic types

1. regular Components (Vanilla obv)
2. singleton Components
2. hoistable components
3. resources

Each of these component types have their own rules related to mounting
and reconciliation however they are not direclty modeled as their own
unique fiber type. This is partly for code size but also because
reconciling the inner type of these components would be in a very hot
path in fiber creation and reconciliation and it's just not practical to
do this logic check here.

Right now we have three Fiber types used to implement these 4 concepts
but we probably need to reconsider the model and think of Host
Components as a single fiber type with an inner implementation. Once we
do this we can regularize things like transitioning between a resource
and a regular component or a singleton and a hoistable instance. The
cases where these transitions happen today aren't particularly common
but they can be observed and currently the handling of these transitions
is incomplete at best and buggy at worst. The most egregious case is the
link type. This can be a regular component (stylesheet without
precedence) a hoistable component (non stylesheet link tags) or a
resource (stylesheet with a precedence) and if you have a single jsx
slot that tries to reconcile transitions between these types it just
doesn't work well.

This commit adds an error for when a Hoistable goes from Instance to
Resource. Currently this is only possible for `<link>` elements going to
and from stylesheets with precedence. Hopefully we'll be able to remove
this error and implement as an inner type before we encounter new
categories for the Hoistable types

detecting type shifting to and from regular components is harder to do
efficiently because we don't want to reevaluate the type on every update
for host components which is currently not required and would add
overhead to a very hot path

singletons can't really type shift in their one practical implementation
(DOM) so they are only a problem in theroy not practice
Mini-refactor of useActionState to only wrap the action in a transition
context if the dispatch is called during a transition. Conceptually, the
action starts as soon as the dispatch is called, even if the action is
queued until earlier ones finish.

We will also warn if an async action is dispatched outside of a
transition, since that is almost certainly a mistake. Ideally we would
automatically upgrade these to a transition, but we don't have a great
way to tell if the action is async until after it's already run.
Based on

- facebook#29694 

---

If an action in the useActionState queue errors, we shouldn't run any
subsequent actions. The contract of useActionState is that the actions
run in sequence, and that one action can assume that all previous
actions have completed successfully.

For example, in a shopping cart UI, you might dispatch an "Add to cart"
action followed by a "Checkout" action. If the "Add to cart" action
errors, the "Checkout" action should not run.

An implication of this change is that once useActionState falls into an
error state, the only way to recover is to reset the component tree,
i.e. by unmounting and remounting. The way to customize the error
handling behavior is to wrap the action body in a try/catch.
RC releases are a special kind of prerelease build because unlike
canaries we shouldn't publish new RCs from any commit on `main`, only
when we intentionally bump the RC number. But they are still prerelases
— like canary and experimental releases, they should use exact version
numbers in their dependencies (no ^).

We only need to generate these builds during the RC phase, i.e. when the
canary channel label is set to "rc".

Example of resulting package.json output:

```json
{
  "name": "react-dom",
  "version": "19.0.0-rc.0",
  "dependencies": {
    "scheduler": "0.25.0-rc.0"
  },
  "peerDependencies": {
    "react": "19.0.0-rc.0"
  }
}
```


https://react-builds.vercel.app/prs/29736/files/oss-stable-rc/react-dom/package.json
facebook#29697)

This information is available in the regular stack but since that's
hidden behind an expando and our appended stack to logs is not hidden,
it hides the most important frames like the name of the current
component.

This is closer to what happens to the native stack.

We only include stacks if they're within a ReactFiberCallUserSpace call
frame. This should be most that have a current fiber but this is
critical to filtering out most React frames if the regular node_modules
filter doesn't work.

Most React warnings fire during the rendering phase and not inside a
user space function but some do like hooks warnings and setState in
render. This feature is more important if we port this to React DevTools
appending stacks to all logs where it's likely to originate from inside
a component and you want the line within that component to immediately
part of the visible stack.

One thing that kind sucks is that we don't have a reliable way to
exclude React internal stack frames. We filter node_modules but it might
not match. For other cases I try hard to only track the stack frame at
the root of React (e.g. immediately inside createElement) until the
ReactFiberCallUserSpace so we don't need the filtering to work. In this
case it's hard to achieve the same thing though. This is easier in RDT
because we have the start/end line and parsing of stack traces so we can
use that to exclude internals but that's a lot of code/complexity for
shipping within the library.

For example in Safari:

<img width="590" alt="Screenshot 2024-05-31 at 6 15 27 PM"
src="https://github.com/facebook/react/assets/63648/2820c8c0-8a03-42e9-8678-8348f66b051a">

Ideally warnOnUseFormStateInDev and useFormState wouldn't be included
since they're React internals. Before this change, the Counter.js line
also wasn't included though which points to exactly where the error is
within the user code.

(Note Server Components have V8 formatted lines and Client Components
have JSC formatted lines.)
Use some clever git diffing to ignore lines that only change the
`@generated` header. We can't do this for the version string because the
version string can be embedded in lines with other changes, but this
header is always on one line.
…ed (facebook#29720)

Following the instructions in the compiler/docs/DEVELOPMENT_GUIDE.md, we are stuck on the command `yarn snap --watch` because it calls readTestFilter even though the filter option is not enabled.
www: set enableRefAsProp to true
… of react (facebook#29753)

<!--
  Thanks for submitting a pull request!
We appreciate you spending the time to work on these changes. Please
provide enough information so that others can review your pull request.
The three fields below are mandatory.

Before submitting a pull request, please make sure the following is
done:

1. Fork [the repository](https://github.com/facebook/react) and create
your branch from `main`.
  2. Run `yarn` in the repository root.
3. If you've fixed a bug or added code that should be tested, add tests!
4. Ensure the test suite passes (`yarn test`). Tip: `yarn test --watch
TestName` is helpful in development.
5. Run `yarn test --prod` to test in the production environment. It
supports the same options as `yarn test`.
6. If you need a debugger, run `yarn test --debug --watch TestName`,
open `chrome://inspect`, and press "Inspect".
7. Format your code with
[prettier](https://github.com/prettier/prettier) (`yarn prettier`).
8. Make sure your code lints (`yarn lint`). Tip: `yarn linc` to only
check changed files.
  9. Run the [Flow](https://flowtype.org/) type checks (`yarn flow`).
  10. If you haven't already, complete the CLA.

Learn more about contributing:
https://reactjs.org/docs/how-to-contribute.html
-->

## Summary

Remove `startTransition` and `useActionState` from `react-server`
condition of react, as they should only stay in client bundle.
This will reduce the server bundle of react itself. 

Found this while tracing where the `process.emit` was called.

<!--
Explain the **motivation** for making this change. What existing problem
does the pull request solve?
-->

## How did you test this change?

<!--
Demonstrate the code is solid. Example: The exact commands you ran and
their output, screenshots / videos if the pull request changes the user
interface.
How exactly did you verify that your PR solves the issue you wanted to
solve?
  If you leave this empty, your PR will very likely be closed.
-->
## Overview

We didn't have any tests that ran in persistent mode with the xplat
feature flags (for either variant).

As a result, invalid test gating like in
facebook#29664 were not caught.

This PR adds test flavors for `ReactFeatureFlag-native-fb.js` in both
variants.
@socket-security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@aashutoshrathi/[email protected] None 0 10.9 kB aashutoshrathi
npm/@alloc/[email protected] None 0 14.1 kB aleclarson
npm/@babel/[email protected] Transitive: environment, eval, filesystem, network, shell +22 1.63 MB nicolo-ribaudo
npm/@babel/[email protected] environment +4 114 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 58.1 kB nicolo-ribaudo
npm/@babel/[email protected] filesystem 0 133 kB nicolo-ribaudo
npm/@babel/[email protected] environment, filesystem, unsafe Transitive: shell +30 5.56 MB nicolo-ribaudo
npm/@babel/[email protected] None 0 108 kB nicolo-ribaudo
npm/@babel/[email protected] None +3 624 kB nicolo-ribaudo
npm/@babel/[email protected] Transitive: environment +1 2.41 MB nicolo-ribaudo
npm/@babel/[email protected] None +1 119 kB nicolo-ribaudo
npm/@babel/[email protected] Transitive: environment +3 2.64 MB nicolo-ribaudo
npm/@babel/[email protected] None +8 780 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 11.9 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 130 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 32 kB nicolo-ribaudo
npm/@babel/[email protected] Transitive: environment +2 2.47 MB nicolo-ribaudo
npm/@babel/[email protected] None 0 31.6 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 11.4 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 424 kB nicolo-ribaudo
npm/@babel/[email protected] environment 0 20.3 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 1.93 MB nicolo-ribaudo
npm/@babel/[email protected] None 0 1.88 MB nicolo-ribaudo
npm/@babel/[email protected] None +1 77 kB nicolo-ribaudo
npm/@babel/[email protected] None +1 24.1 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 5.42 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 3.5 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 5.12 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.13 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.21 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 3.9 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 5.54 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 20.4 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 7.61 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.86 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 10.1 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 83.8 kB nicolo-ribaudo
npm/@babel/[email protected] Transitive: environment +3 4.5 MB nicolo-ribaudo
npm/@babel/[email protected] None 0 81.6 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 6.16 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 8.11 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 17.5 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 43.2 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 5.8 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 8.68 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 20 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 64.6 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.87 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 10.3 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 9.11 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 5.38 kB nicolo-ribaudo
npm/@babel/[email protected] None +1 140 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.8 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.68 kB nicolo-ribaudo
npm/@babel/[email protected] None +1 22.7 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 5.26 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 12.5 kB nicolo-ribaudo
npm/@babel/[email protected] None +1 82.7 kB nicolo-ribaudo
npm/@babel/[email protected] None +1 134 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.02 kB nicolo-ribaudo
npm/@babel/[email protected] Transitive: environment +1 2.42 MB nicolo-ribaudo
npm/@babel/[email protected] None +1 141 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 20.8 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 111 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 14 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.99 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 4.66 kB nicolo-ribaudo
npm/@babel/[email protected] environment +9 698 kB nicolo-ribaudo
npm/@babel/[email protected] None +4 54 kB nicolo-ribaudo
npm/@babel/[email protected] None +1 92.3 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 12.3 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 14.1 kB nicolo-ribaudo
npm/@babel/[email protected] environment, filesystem, unsafe +2 75.9 kB nicolo-ribaudo
npm/@babel/[email protected] None 0 68.9 kB nicolo-ribaudo
npm/@babel/[email protected] environment 0 144 kB nicolo-ribaudo
npm/@babel/[email protected] environment 0 2.5 MB nicolo-ribaudo
npm/@babel/[email protected] environment +3 2.5 MB nicolo-ribaudo
npm/@cspotcode/[email protected] filesystem +1 194 kB cspotcode
npm/@eslint-community/[email protected] None 0 431 kB eslint-community-bot
npm/@eslint/[email protected] filesystem, unsafe Transitive: environment +4 1.41 MB eslintbot
npm/@eslint/[email protected] None 0 14.2 kB eslintbot
npm/@hapi/[email protected] None 0 51.5 kB devinivy
npm/@heroicons/[email protected] None 0 860 kB bradlc
npm/@humanwhocodes/[email protected] None 0 53.3 kB nzakas
npm/@jest/[email protected] unsafe Transitive: environment +5 362 kB simenb
npm/@jest/[email protected] None 0 13.2 kB simenb
npm/@jest/[email protected] None 0 5.15 kB simenb
npm/@jest/[email protected] None 0 25.2 kB simenb
npm/@jest/[email protected] None 0 3.32 kB simenb
npm/@jest/[email protected] environment, unsafe Transitive: filesystem +15 765 kB simenb
npm/@jest/[email protected] None +1 11.4 kB simenb
npm/@jest/[email protected] None +1 16.7 kB simenb
npm/@jest/[email protected] Transitive: environment, filesystem, shell, unsafe +5 1.54 MB simenb
npm/@monaco-editor/[email protected] None +1 109 kB surenat
npm/@monaco-editor/[email protected] None 0 151 kB surenat
npm/@napi-rs/[email protected] None 0 8.67 MB broooooklyn
npm/@next/[email protected] environment, filesystem 0 6.95 kB vercel-release-bot
npm/@next/[email protected] filesystem +1 136 kB vercel-release-bot
npm/@next/[email protected] None 0 108 MB vercel-release-bot
npm/@next/[email protected] None 0 109 MB vercel-release-bot
npm/@next/[email protected] None 0 110 MB vercel-release-bot
npm/@next/[email protected] None 0 130 MB vercel-release-bot
npm/@next/[email protected] None 0 123 MB vercel-release-bot
npm/@next/[email protected] None 0 143 MB vercel-release-bot
npm/@next/[email protected] None 0 96.7 MB vercel-release-bot
npm/@next/[email protected] None 0 89.8 MB vercel-release-bot
npm/@next/[email protected] None 0 128 MB vercel-release-bot
npm/@parcel/[email protected] Transitive: environment, filesystem +2 2.63 MB devongovett
npm/@pkgr/[email protected] environment Transitive: filesystem, shell +27 592 kB jounqin
npm/@playwright/[email protected] Transitive: environment, eval, filesystem, network, shell, unsafe +2 10.1 MB yurys
npm/@playwright/[email protected] Transitive: environment, eval, filesystem, network, shell, unsafe +2 10.1 MB yurys
npm/@pmmmwh/[email protected] environment, filesystem Transitive: eval +6 1.4 MB pmmmwh
npm/@rollup/[email protected] filesystem +4 727 kB shellscape
npm/@rollup/[email protected] None +2 118 kB shellscape
npm/@rollup/[email protected] filesystem Transitive: unsafe +7 247 kB shellscape
npm/@rollup/[email protected] eval, unsafe Transitive: environment +2 2.26 MB lukastaegert
npm/@rollup/[email protected] environment, filesystem +1 185 kB shellscape
npm/@rushstack/[email protected] None 0 46.5 kB odspnpm
npm/@sinclair/[email protected] None 0 303 kB sinclair
npm/@sinonjs/[email protected] None +1 80.1 kB mrgnrdrck
npm/@sinonjs/[email protected] eval 0 91.6 kB fatso83
npm/@swc/[email protected] None 0 228 kB kdy1
npm/@testing-library/[email protected] environment Transitive: eval +3 2.64 MB testing-library-bot
npm/@testing-library/[email protected] environment 0 4.02 MB testing-library-bot
npm/@tsconfig/[email protected] None 0 2.39 kB typescript-deploys
npm/@tsconfig/[email protected] None 0 2.5 kB typescript-deploys
npm/@tsconfig/[email protected] None 0 2.39 kB typescript-deploys
npm/@tsconfig/[email protected] None 0 2.39 kB typescript-deploys
npm/@tsconfig/[email protected] None 0 3.55 kB typescript-deploys
npm/@tsconfig/[email protected] None 0 2.98 kB typescript-deploys
npm/@types/[email protected] None 0 5.94 kB types
npm/@types/[email protected] None 0 126 kB types
npm/@types/[email protected] None 0 84.1 kB types
npm/@types/[email protected] None 0 192 kB types
npm/@types/[email protected] None 0 25.7 kB types
npm/@types/[email protected] None 0 12.1 kB types
npm/@types/[email protected] None +1 19.2 kB types
npm/@types/[email protected] None 0 4.26 kB types
npm/@types/[email protected] None 0 5.45 kB types
npm/@types/[email protected] None 0 73.6 kB types
npm/@types/[email protected] Transitive: environment, unsafe +18 626 kB types
npm/@types/[email protected] None +1 35.8 kB types
npm/@types/[email protected] None 0 3 kB types
npm/@types/[email protected] None 0 3.56 MB types
npm/@types/[email protected] None 0 3.5 MB types
npm/@types/[email protected] None 0 2.06 MB types
npm/@types/[email protected] None 0 49.8 kB types
npm/@types/[email protected] None 0 1.72 kB types
npm/@types/[email protected] None 0 28.8 kB types
npm/@types/[email protected] None +3 1.38 MB types
npm/@types/[email protected] None +3 1.38 MB types
npm/@types/[email protected] None 0 23.3 kB types
npm/@types/[email protected] None +1 116 kB types
npm/@typescript-eslint/[email protected] Transitive: environment, filesystem, unsafe +31 6.43 MB jameshenry
npm/@typescript-eslint/[email protected] Transitive: environment, filesystem, unsafe +16 2.31 MB jameshenry
npm/@typescript-eslint/[email protected] None +1 769 kB jameshenry
npm/@typescript-eslint/[email protected] None 0 160 kB jameshenry
npm/@typescript-eslint/[email protected] Transitive: environment, filesystem +9 2.03 MB jameshenry
npm/@typescript-eslint/[email protected] None +1 51.6 kB jameshenry
npm/@use-gesture/[email protected] environment 0 349 kB dbismut
npm/@use-gesture/[email protected] environment 0 37.7 kB dbismut
npm/[email protected] None 0 531 kB marijn
npm/[email protected] None 0 161 kB jessebeach
npm/[email protected] None 0 8.05 kB ljharb
npm/[email protected] None 0 25 kB ljharb
npm/[email protected] Transitive: eval +39 2.71 MB ljharb
npm/[email protected] None +1 28.6 kB ljharb
npm/[email protected] None +1 28.1 kB ljharb
npm/[email protected] None 0 7.23 kB ljharb
npm/[email protected] environment +1 266 kB ai
npm/[email protected] None 0 2.35 MB npmdeque
npm/[email protected] Transitive: eval +19 513 kB jessebeach
npm/[email protected] environment Transitive: filesystem, shell +6 118 kB simenb
npm/[email protected] environment Transitive: eval, filesystem, network, shell, unsafe +38 764 kB simenb
npm/[email protected] None 0 9.62 kB kayhadrin
npm/[email protected] environment Transitive: filesystem +18 1.48 MB kayhadrin
npm/[email protected] None +3 64.6 kB simenb
npm/[email protected] None 0 5.95 kB hermes-team
npm/[email protected] Transitive: eval +1 8.19 kB simenb
npm/[email protected] environment, filesystem 0 47.8 kB huafu
npm/[email protected] None 0 1.97 MB caniuse-lite
npm/[email protected] None 0 2.05 MB caniuse-lite
npm/[email protected] environment 0 26.1 kB sibiraj-s
npm/[email protected] None 0 611 B sebmarkbage
npm/[email protected] None 0 5.67 kB lukeed
npm/[email protected] None 0 662 kB zloirock
npm/[email protected] filesystem, unsafe 0 6.25 kB pi0
npm/[email protected] None +3 181 kB evilebottnawi
npm/[email protected] None 0 283 kB mikemcl
npm/[email protected] None 0 8.11 kB thlorenz
npm/[email protected] None 0 31.2 kB tehshrike
npm/[email protected] None +3 56.6 kB ljharb
npm/[email protected] None +1 19.7 kB ljharb
npm/[email protected] None 0 287 kB kilianvalkhof
npm/[email protected] None 0 187 kB thelarkinn
npm/[email protected] None 0 413 kB feedic
npm/[email protected] None +23 1.95 MB ljharb
npm/[email protected] Transitive: eval +38 718 kB ljharb
npm/[email protected] eval +3 531 kB medikoo
npm/[email protected] unsafe Transitive: environment, eval, filesystem +92 9.73 MB vercel-release-bot
npm/[email protected] None 0 36.4 kB ljharb
npm/[email protected] None 0 148 kB eslintbot
npm/[email protected] None +1 383 kB mysticatea
npm/[email protected] None 0 0 B
npm/[email protected] None 0 0 B
npm/[email protected] filesystem Transitive: environment, unsafe +15 4.35 MB eslintbot
npm/[email protected] environment Transitive: filesystem, unsafe +17 3.61 MB eslintbot
npm/[email protected] None +1 101 kB eslintbot
npm/[email protected] filesystem 0 91.9 kB mrmlnc
npm/[email protected] environment +1 769 kB kayhadrin
npm/[email protected] None 0 40.3 kB webreflection
npm/[email protected] None 0 153 MB flowtype
npm/[email protected] Transitive: unsafe +2 60.2 kB flowtype
npm/[email protected] filesystem 0 32.5 kB marcw136
npm/[email protected] eval 0 37.1 kB ljharb
npm/[email protected] None +1 1.3 MB cristianbote
npm/[email protected] None 0 237 kB orling
npm/[email protected] Transitive: filesystem +2 1.5 MB hermes-team
npm/[email protected] Transitive: filesystem +2 1.58 MB hermes-team
npm/[email protected] None 0 264 kB hermes-team
npm/[email protected] filesystem +1 1.34 MB hermes-team
npm/[email protected] filesystem +1 1.34 MB hermes-team
npm/[email protected] environment, filesystem, network Transitive: shell +33 2.18 MB thornjad
npm/[email protected] None +2 41.2 kB ljharb
npm/[email protected] None +1 19.1 kB ljharb
npm/[email protected] None 0 29.3 kB ljharb
npm/[email protected] None +1 31.7 kB ljharb
npm/[email protected] None 0 12.7 kB ljharb
npm/[email protected] None 0 12.3 kB ljharb
npm/[email protected] None +3 56.5 kB ljharb
npm/[email protected] None 0 34.4 kB oss-bot
npm/[email protected] environment 0 253 kB isaacs
npm/[email protected] environment Transitive: shell +6 139 kB simenb
npm/[email protected] Transitive: unsafe +6 105 kB simenb
npm/[email protected] None +4 308 kB simenb
npm/[email protected] Transitive: environment +5 171 kB simenb
npm/[email protected] None +1 12.9 kB simenb
npm/[email protected] None 0 38 kB simenb
npm/[email protected] Transitive: environment, unsafe +13 290 kB simenb
npm/[email protected] None +3 51.4 kB simenb
npm/[email protected] unsafe 0 8.57 kB simenb
npm/[email protected] environment, filesystem, shell, unsafe Transitive: network +5 157 kB simenb
npm/[email protected] unsafe 0 6.53 kB simenb
npm/[email protected] None 0 42 kB simenb
npm/[email protected] None 0 8.93 kB simenb
npm/[email protected] environment, unsafe +2 72.4 kB simenb
npm/[email protected] environment Transitive: filesystem, unsafe +2 120 kB simenb
npm/[email protected] unsafe Transitive: environment, shell +9 354 kB simenb
npm/[email protected] eval +3 224 kB simenb
npm/[email protected] None +1 39.9 kB simenb
npm/[email protected] environment, shell 0 69.1 kB simenb
npm/[email protected] None 0 5.06 kB simenb
npm/[email protected] Transitive: environment, eval, filesystem, network, shell, unsafe +157 6.18 MB simenb
npm/[email protected] environment, filesystem, unsafe 0 1.95 MB pi0
npm/[email protected] None 0 1.1 MB yaozilong
npm/[email protected] None 0 6.04 kB metro-bot
npm/[email protected] eval, filesystem, network, shell, unsafe +7 3.19 MB domenic
npm/[email protected] eval, filesystem, network, shell, unsafe Transitive: environment +18 5.46 MB domenic
npm/[email protected] None 0 230 kB ljharb
npm/[email protected] filesystem 0 16.6 kB antonk52
npm/[email protected] None 0 176 kB pieroxy
npm/[email protected] unsafe +1 186 kB evilebottnawi
npm/[email protected] None 0 285 kB isaacs
npm/[email protected] filesystem Transitive: environment, eval +1 2.18 MB vscode-bot
npm/[email protected] environment, network 0 79.5 MB alexandrudima
npm/[email protected] environment, network 0 99 MB vscode-bot
npm/[email protected] None 0 24.4 kB ai
npm/[email protected] environment, filesystem, network, shell, unsafe +3 73.6 MB vercel-release-bot
npm/[email protected] environment 0 459 kB iamhosseindhv
npm/[email protected] None 0 1.17 MB ljharb
npm/[email protected] None +27 394 kB ljharb
npm/[email protected] None +27 410 kB ljharb
npm/[email protected] None +2 112 kB gkz
npm/[email protected] None +1 1.05 MB feedic
npm/[email protected] filesystem +1 987 kB isaacs
npm/[email protected] Transitive: filesystem +1 35.1 kB ryanzim
npm/[email protected] None 0 8.45 kB ai
npm/[email protected] environment, unsafe +1 683 kB ai
npm/[email protected] None +1 200 kB ai
npm/[email protected] environment, filesystem 0 198 kB ai
npm/[email protected] environment, filesystem, unsafe 0 11.2 MB prettier-bot
npm/[email protected] environment, filesystem, unsafe 0 8.49 MB prettier-bot
npm/[email protected] environment, filesystem, unsafe 0 8.39 MB prettier-bot
npm/[email protected] Transitive: environment +3 533 kB simenb
npm/[email protected] None 0 70.7 kB ndubien
npm/[email protected] None 0 97.2 kB bokuweb
npm/[email protected] None 0 0 B
npm/[email protected] environment 0 855 kB react-bot
npm/[email protected] None 0 218 B sugarpirate
npm/[email protected] None 0 0 B
npm/[email protected] environment +1 8.78 MB react-bot
npm/[email protected] environment +1 7.51 MB react-bot
npm/[email protected] environment 0 6.23 MB react-bot
npm/[email protected] environment 0 15.1 kB react-bot
npm/[email protected] environment +1 857 kB react-bot
npm/[email protected] Transitive: environment +1 3.03 MB brianvaughn
npm/[email protected] environment 0 896 kB brianvaughn
npm/[email protected] environment 0 452 kB react-bot
npm/[email protected] environment 0 379 kB react-bot
npm/[email protected] environment 0 240 kB react-bot
npm/[email protected] filesystem 0 1.96 MB craigbrookes
npm/[email protected] None +1 47.8 kB ljharb
npm/[email protected] environment, filesystem +2 158 kB ljharb
npm/[email protected] None +2 412 kB stropho
npm/[email protected] None +5 756 kB mickael.jeanroy
npm/[email protected] environment, filesystem +15 42.9 MB lukastaegert
npm/[email protected] None 0 52.1 kB fitz5264
npm/[email protected] environment 0 84.2 kB react-bot
npm/[email protected] None +1 19.5 kB ljharb
npm/[email protected] environment, filesystem +1 227 kB nfischer
npm/[email protected] None 0 140 kB 7rulnik
npm/[email protected] None +2 1.19 MB alangpierce
npm/[email protected] environment, filesystem +3 5.64 MB adamwathan
npm/[email protected] None +3 641 kB ccasey
npm/[email protected] environment, filesystem, unsafe 0 263 kB kul
npm/[email protected] environment, filesystem, unsafe Transitive: network, shell +19 825 kB kul
npm/[email protected] environment, filesystem, unsafe +4 1.16 MB blakeembrey
npm/[email protected] None 0 32.4 MB typescript-bot
npm/[email protected] environment, network, unsafe +1 1.25 MB matteo.collina
npm/[email protected] environment 0 14.3 kB ai
npm/[email protected] None +1 31.5 kB domenic
npm/[email protected] filesystem, network Transitive: environment +8 2.8 MB jeffbski
npm/[email protected] filesystem Transitive: eval, unsafe +4 1.18 MB evilebottnawi
npm/[email protected] None +3 70.1 kB ljharb
npm/[email protected] environment, network 0 141 kB lpinca
npm/[email protected] environment, network 0 135 kB lpinca
npm/[email protected] None 0 30.1 kB jmike
npm/[email protected] None 0 63.8 kB jmike
npm/[email protected] None 0 667 kB colinmcd94

🚮 Removed packages: npm/@actuallyworks/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jridgewell/[email protected], npm/@pmmmwh/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

@socket-security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Native code npm/@parcel/[email protected] 🚫
Telemetry npm/[email protected]
  • Note: Can be disabled by setting the environment variable NEXT_TELEMETRY_DISABLED=1 . See https://nextjs.org/telemetry for more information
🚫
AI warning npm/[email protected]
  • Notes: This code has a worrying combination of potential security risks, including executing a downloaded binary with user input, writing to user-controlled file paths, and automatically modifying the .gitignore. While it does not appear to be outright malware, using it as-is poses significant security concerns. A thorough security review and hardening of these risk areas would be recommended before use.
  • Confidence: 1.00
  • Severity: 0.60
🚫
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: node -e "try{require('./_postinstall')}catch(e){}"
🚫

View full report↗︎

Next steps

What's wrong with native code?

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

What is telemetry?

This package contains telemetry which tracks how it is used.

Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

What is an AI detected anomaly?

AI has identified unusual behaviors that may pose a security risk.

An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@markerikson markerikson closed this Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.