Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate TS client with Telescope #1845

Closed
wants to merge 2 commits into from
Closed

Generate TS client with Telescope #1845

wants to merge 2 commits into from

Conversation

fadeev
Copy link
Member

@fadeev fadeev commented Mar 6, 2024

No description provided.

@socket-security Socket Security
Copy link

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@cosmjs/[email protected] Transitive: filesystem +19 2.13 MB webmaster128
npm/@cosmjs/[email protected] Transitive: filesystem, network +36 37.6 MB webmaster128
npm/@cosmjs/[email protected] Transitive: environment, eval, filesystem, network +59 40.2 MB webmaster128
npm/@cosmjs/[email protected] network Transitive: environment, eval, filesystem +39 3.92 MB webmaster128
npm/@cosmology/[email protected] environment, filesystem Transitive: eval, network, shell, unsafe +385 62.3 MB zetazz
npm/@protobufs/[email protected] None +1 104 kB pyramation
npm/@protobufs/[email protected] None +5 483 kB pyramation
npm/@protobufs/[email protected] None +1 95 kB pyramation
npm/@protobufs/[email protected] None 0 85.8 kB pyramation
npm/@protobufs/[email protected] None +2 136 kB pyramation
npm/@types/[email protected] Transitive: environment, filesystem, unsafe +45 5.74 MB types
npm/[email protected] Transitive: environment, eval, filesystem, shell, unsafe +91 10.5 MB lydell
npm/[email protected] Transitive: environment, eval, filesystem, shell, unsafe +94 21.8 MB jounqin
npm/[email protected] environment, filesystem Transitive: eval, shell, unsafe +90 10.5 MB eslintbot
npm/[email protected] None 0 5.73 kB thejameskyle
npm/[email protected] Transitive: environment, eval, filesystem, network, shell, unsafe +268 26.3 MB simenb
npm/[email protected] environment, filesystem, unsafe 0 11.2 MB prettier-bot
npm/[email protected] filesystem Transitive: environment, eval, shell +87 12 MB pyramation
npm/[email protected] environment, filesystem Transitive: shell +29 2.35 MB isaacs
npm/[email protected] environment, filesystem, unsafe Transitive: eval, network, shell +273 58.7 MB kul
npm/[email protected] None 0 32 MB typescript-bot

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: node scripts/postinstall
Install scripts npm/@cosmology/[email protected]
  • Install script: postinstall
  • Source: node scripts/postinstall
Protestware/Troll package npm/[email protected]
  • Note: This package prints a protestware console message on install regarding Ukraine for users with Russian language locale
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: node -e "try{require('./_postinstall')}catch(e){}" || exit 0

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What is protestware?

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Consider that consuming this package my come along with functionality unrelated to its primary purpose.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 6, 2024

!!!WARNING!!!
nosec detected in the following files: zetachaints/proto/google/protobuf/duration.proto, zetachaints/proto/google/protobuf/timestamp.proto, zetachaints/src/codegen/google/protobuf/duration.ts, zetachaints/src/codegen/google/protobuf/timestamp.ts, zetachaints/src/codegen/helpers.ts

Be very careful about using #nosec in code. It can be a quick way to suppress security warnings and move forward with development, it should be employed with caution. Suppressing warnings with #nosec can hide potentially serious vulnerabilities. Only use #nosec when you're absolutely certain that the security issue is either a false positive or has been mitigated in another way.

Only suppress a single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the #nosec annotation, e.g: /* #nosec G401 */ or //#nosec G201 G202 G203
Broad #nosec annotations should be avoided, as they can hide other vulnerabilities. The CI will block you from merging this PR until you remove #nosec annotations that do not target specific rules.

Pay extra attention to the way #nosec is being used in the files listed above.

@github-actions github-actions bot added the nosec label Mar 6, 2024
@lumtis
Copy link
Member

lumtis commented Apr 2, 2024

Are you still working on this one @fadeev ? Seems like to be multiple conflicts in the proto files

@fadeev
Copy link
Member Author

fadeev commented Apr 3, 2024

@lumtis we can close this PR, but the underlying problem is still there, maybe you can help. We can't generate TS clients because proto files use options unsupported by client generators:

#1795 (comment)

@fadeev fadeev closed this Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
breaking:proto nosec
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fadeev @lumtis