Advisory GHSA-v8f4-cj97-g2x4 is a false positive

[DNGRboat]

The package is an internal dependency shared among our applications. It is not made for external use.

• Ecosystem: NPM
• Package: ember-simplepractice
• No versions are malicious

The report says "The package communicates with a domain associated with malicious activity", but no such communication exists. It lists version 6.8.2 under malicious-packages-origins, but only beta versions of 6.8.2 were published.

[kam193]

I have nothing to do with this report, but it sounds like typical dependency confusion. Are you sure you think about https://www.npmjs.com/package/ember-simplepractice and not a package of the same name existing in your private repository?

[DNGRboat]

No, this is referring to our package, we're getting critical alerts from multiple sources.

[kam193]

From my experience of handling #1104 and #1099 the analysis tools do not recognize the difference between packages downloaded from public source (this is what the report is about) and packages from private repositories. This is a classic dependency confusion case - someone creates a package in a public repository of the same name as the private package, hoping that the user installs the wrong package due to misconfiguration. This is also why you don't recognize the version, it existed just in the public repository.

I can suggest you create a PR to remove open range from the main report part:

"ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ],

It says "all versions are affected" and most probably triggers an alert on your internal packages. Leaving just versions that existed in the public repository is the only method I'm aware of to compromise warning about the malicious package and unblocking your work.

[kam193]

However, please note here you can update only the OSV.dev entry (which copied open range from GHSA and may be used by the tools that cause issues), but not the GHSA advisory itself. The GHSA advisory comes from Github/NPM, and to update it, you should rather open an issue in https://github.com/github/advisory-database as stated on the advisory page GHSA-v8f4-cj97-g2x4