@zen-agentchecks…zen/socket-blocking-test-qmzwyw → master1 files · +4 −1updated 3w agoThis is a test PR. It will be closed without merging.
Re-running the Socket.dev blocking test on hermes after branch protection on master was updated to require the Socket Security check.
The previous test on zen (PR #514) showed mergeStateStatus: UNSTABLE because Socket's check was firing but was not marked as a required status check. This PR verifies that, with branch protection now wired up correctly, mergeStateStatus flips to BLOCKED.
Three known npm typosquats / historical malware packages were added to root devDependencies:
crossenv — typosquat of cross-env (documented npm malware)electorn — typosquat of electron (documented npm malware)mongose — typosquat of mongoose (documented npm malware)Note: hermes CI will likely fail at the pnpm install step because these packages were removed from npm after disclosure. That failure is expected and unrelated to the Socket check — Socket scans the manifest text and looks up names against its own DB.
This PR itself IS the test. The expected outcome:
master (newly configured)gh pr view --json mergeStateStatus returns BLOCKEDWill be closed once the BLOCKED state is observed.
Based on git blame analysis of 1 file(s):
| Contributor | Contribution | Files |
|---|---|---|
| Zen | 38% | 1 |
| jkomyno | 28% | 1 |
| Utkarsh Dixit | 11% | 1 |
| Rahul Tarak | 8% | 1 |
| abir-taheer | 5% | 1 |
Recommend Zen and jkomyno. Zen edited package.json today and is the most recent/highest-weighted contributor, and jkomyno made a recent edit to the same file (~3 weeks ago) and has substantial recent activity—both are well-placed to review dependency/metadata changes.
🤖 Based on git blame with recency weighting (recent edits count more).
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
[!CAUTION] Review the following alerts detected in dependencies.
According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.
