Our private github packages are showing up as malware

[martintreurnicht]

Related to #422

We started getting this dependabot alert https://github.com/advisories/GHSA-9824-332p-264p. It's unclear why this has happened, and I'm unsure how to resolve this. In the other issue the creator mentions that having a shadow package in npmjs.com caused this problem for them, we don't publish to npmjs.com anymore, but we used to do that under a different package name, but that was many months ago and would be weird for it to only pop up now

[Straubulous]

I believe I understand because I saw a similar situation.
They're alerting because they see a reference in your repo to a package name in which they found malware in a public package with the same name. Look at the package name they reference on npmjs - it is most likely going to show something like "published 0.0.1-security", meaning npm found malware and replaced the package with a no-op package. The dependabot alert scanner doesn't know your using a local package with that name. They do know there is an npm package with that name which had malware, so they're alerting. The recommended solution to avoid the alert (and risk) is to scope internal packages to scopes you own.

You got the alert now because they kicked off an effort to publish advisories for malware packages yesterday. https://github.blog/2022-06-15-github-now-publishes-malware-advisories-in-the-github-advisory-database/