|
169 | 169 | "emoji": "🎈" |
170 | 170 | }, |
171 | 171 | "gitDependency": { |
172 | | - "description": "Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.", |
| 172 | + "description": "Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable and can be used to inject untrusted code or reduce the likelihood of a reproducible install.", |
173 | 173 | "suggestion": "Publish the git dependency to npm or a private package repository and consume it from there.", |
174 | 174 | "title": "Git dependency", |
175 | 175 | "emoji": "🍣" |
|
212 | 212 | }, |
213 | 213 | "highEntropyStrings": { |
214 | 214 | "description": "Contains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code.", |
215 | | - "suggestion": "Please inspect these strings to check if these strings are benign. Maintainers should clarify the purpose and existence of high entropy strings if there is a legitimate purpose.", |
| 215 | + "suggestion": "Please inspect these strings to check if they are benign. Maintainers should clarify the purpose and existence of high entropy strings if there is a legitimate purpose.", |
216 | 216 | "title": "High entropy strings", |
217 | 217 | "emoji": "⚠️" |
218 | 218 | }, |
|
277 | 277 | "emoji": "⚠️" |
278 | 278 | }, |
279 | 279 | "malware": { |
280 | | - "description": "This package is malware. We have asked the package registry to remove it.", |
| 280 | + "description": "This package is identified as malware. It has been flagged either by Socket's AI scanner and confirmed by our threat research team, or is listed as malicious in security databases and other sources.", |
281 | 281 | "title": "Known malware", |
282 | 282 | "suggestion": "It is strongly recommended that malware is removed from your codebase.", |
283 | 283 | "emoji": "☠️" |
|
391 | 391 | "emoji": "⚠️" |
392 | 392 | }, |
393 | 393 | "noV1": { |
394 | | - "description": "Package is not semver >=1. This means it is not stable and does not support ^ ranges.", |
| 394 | + "description": "Package is not semver \u003E=1. This means it is not stable and does not support ^ ranges.", |
395 | 395 | "suggestion": "If the package sees any general use, it should begin releasing at version 1.0.0 or later to benefit from semver.", |
396 | 396 | "title": "No v1", |
397 | 397 | "emoji": "⚠️" |
|
488 | 488 | }, |
489 | 489 | "suspiciousString": { |
490 | 490 | "description": "This package contains suspicious text patterns which are commonly associated with bad behavior.", |
491 | | - "suggestion": "The package code should be reviewed before installing", |
| 491 | + "suggestion": "The package code should be reviewed before installing.", |
492 | 492 | "title": "Suspicious strings", |
493 | 493 | "emoji": "⚠️" |
494 | 494 | }, |
|
560 | 560 | }, |
561 | 561 | "unstableOwnership": { |
562 | 562 | "description": "A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.", |
563 | | - "suggestion": "Try to reduce the amount of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.", |
| 563 | + "suggestion": "Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.", |
564 | 564 | "title": "Unstable ownership", |
565 | 565 | "emoji": "⚠️" |
566 | 566 | }, |
|
571 | 571 | "emoji": "⚠️" |
572 | 572 | }, |
573 | 573 | "urlStrings": { |
574 | | - "description": "Package contains fragments of external URLs or IP addresses, which may indicate that it covertly exfiltrates data.", |
575 | | - "suggestion": "Avoid using packages that make connections to the network, since this helps to leak data.", |
| 574 | + "description": "Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.", |
| 575 | + "suggestion": "Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.", |
576 | 576 | "title": "URL strings", |
577 | 577 | "emoji": "⚠️" |
578 | 578 | }, |
|
587 | 587 | "suggestion": "Packages should remove unnecessary zero width unicode characters and use their visible counterparts.", |
588 | 588 | "title": "Zero width unicode chars", |
589 | 589 | "emoji": "⚠️" |
| 590 | + }, |
| 591 | + "chromePermission": { |
| 592 | + "description": "This Chrome extension uses the '{permission}' permission.", |
| 593 | + "suggestion": "Does this extensions need these permissions? Read more about what they mean at https://developer.chrome.com/docs/extensions/reference/permissions-list", |
| 594 | + "title": "Chrome Extension Permission", |
| 595 | + "emoji": "⚠️" |
| 596 | + }, |
| 597 | + "chromeHostPermission": { |
| 598 | + "description": "This Chrome extension requests access to '{host}'.", |
| 599 | + "suggestion": "Review the host permission request and ensure it's necessary for the extension's functionality. Consider if the extension could work with more restrictive host permissions.", |
| 600 | + "title": "Chrome Extension Host Permission", |
| 601 | + "emoji": "⚠️" |
| 602 | + }, |
| 603 | + "chromeWildcardHostPermission": { |
| 604 | + "description": "This Chrome extension requests broad access to websites with the pattern '{host}'.", |
| 605 | + "suggestion": "Wildcard host permissions like '*://*/*' give the extension access to all websites. This is a significant security risk and should be carefully reviewed. Consider if the extension could work with more restrictive host permissions.", |
| 606 | + "title": "Chrome Extension Wildcard Host Permission", |
| 607 | + "emoji": "⚠️" |
| 608 | + }, |
| 609 | + "chromeContentScript": { |
| 610 | + "description": "This Chrome extension includes a content script '{scriptFile}' that runs on websites matching '{matches}'.", |
| 611 | + "suggestion": "Content scripts can modify web pages and access page content. Review the content script code to understand what it does on the websites it targets.", |
| 612 | + "title": "Chrome Extension Content Script", |
| 613 | + "emoji": "⚠️" |
590 | 614 | } |
591 | 615 | } |
592 | 616 | } |
0 commit comments