devDeps: @lavamoat/allow-scripts@2.0.3->2.3.1

[legobeat]

Explanation

Maintenance update; security fixes

Manual Testing Steps

Pre-merge author checklist

• I've clearly explained:
  • What problem this PR is solving
  • How this problem was solved
  • How reviewers can test my changes
• Sufficient automated test coverage has been added

Pre-merge reviewer checklist

• Manual testing (e.g. pull and build branch, run in browser, test code being changed)
• PR is linked to the appropriate GitHub issue
• IF this PR fixes a bug in the release milestone, add this PR to the release milestone

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[legobeat]

re tests-deps-audit error: yarn npm audit is borked until yarn v4: yarnpkg/berry#4117

(endpoint returns HTTP 400 here)

[Gudahtt]

LGTM!

[mcmire]

LGTM as well.

[Gudahtt]

Hmm, another audit failure

[legobeat]

Hmm, another audit failure

Yes:

ERROR: Unable to parse yarn audit output: SyntaxError: Unexpected token ➤ in JSON at position 0
Try running `yarn audit` for more info

Exited with code exit status 1

re tests-deps-audit error: yarn npm audit is borked until yarn v4: yarnpkg/berry#4117

(endpoint returns HTTP 400 here)

#20018 (comment)

[kumavis]

re tests-deps-audit error: yarn npm audit is borked until yarn v4: yarnpkg/berry#4117

linked issue seems irrelevant - underlying error is different

SyntaxError: Unexpected token ➤ in JSON at position 0

we're likely getting a non json error message from a json endpoint

[legobeat]

re tests-deps-audit error: yarn npm audit is borked until yarn v4: yarnpkg/berry#4117

linked issue seems irrelevant - underlying error is different

SyntaxError: Unexpected token ➤ in JSON at position 0

we're likely getting a non json error message from a json endpoint

What do you see as different here? Both are due to the 400 from the npm audit backend.

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
No contributors or author data	@pkgjs/parseargs	0.11.0	Location: package.json	@lavamoat/allow-scripts@2.3.1 via package.json
Unmaintained	eastasianwidth	0.2.0	Last Publish: 1/1/2018, 9:26:07 AM	@lavamoat/allow-scripts@2.3.1 via package.json

Next steps

Why is contributor and author data important?

Package does not specify a list of contributors or an author in package.json.

Add a author field or contributors array to package.json.

What are unmaintained packages?

Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.

Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @pkgjs/parseargs@0.11.0
• @SocketSecurity ignore eastasianwidth@0.2.0