Skip to content

Add es5-ext to moduleignore#315063

Closed
jiridanek wants to merge 2 commits intomicrosoft:mainfrom
jiridanek:fix/override-quarantined-es5-ext
Closed

Add es5-ext to moduleignore#315063
jiridanek wants to merge 2 commits intomicrosoft:mainfrom
jiridanek:fix/override-quarantined-es5-ext

Conversation

@jiridanek
Copy link
Copy Markdown
Contributor

@jiridanek jiridanek commented May 7, 2026

Summary

  • es5-ext (0.10.63 and 0.10.64) is quarantined by Nexus Firewall (sonatype-2022-2248) because its _postinstall.js makes network calls to geolocate the host and executes undisclosed code (protestware). Both versions are flagged; there is no clean upstream version.
  • This blocks hardened supply chain builds (Konflux, Cachi2, Hermeto) with 403 Forbidden when prefetching npm dependencies.
  • This PR adds an npm overrides entry to alias es5-ext to @unes/es5-ext@0.10.64-1, a community fork that strips the postinstall script and rebases daily against upstream.
  • The override covers all transitive consumers: gulp-sourcemapsdebug-fabulousmemoizeees5-ext, and the d / es6-* / esniff / timers-ext family, as well as @microsoft/dev-tunnels-connectionses5-ext + websocketes5-ext.

Fixes #310541

References

Made with Cursor

Copilot AI review requested due to automatic review settings May 7, 2026 17:54
Copilot AI reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an npm overrides rule at the repository root to ensure any transitive es5-ext dependency is resolved to the community fork @unes/es5-ext (intended to avoid quarantine/protestware postinstall behavior and unblock hardened dependency prefetch/build pipelines).

Changes:

  • Add overrides.es5-ext = "npm:@unes/es5-ext@0.10.64-1" to force resolution to @unes/es5-ext.
  • Reformat the root package.json (indentation/whitespace).

Comment thread package.json Outdated
@jiridanek
Copy link
Copy Markdown
Contributor Author

jiridanek commented May 7, 2026

@microsoft-github-policy-service agree company="Red Hat"

This was referenced May 7, 2026
Open
Closed
@austindyoung austindyoung mentioned this pull request May 7, 2026
Open
@connor4312
Copy link
Copy Markdown
Member

connor4312 commented May 7, 2026
edited
Loading

We can actually just add es5-ext to our moduleignore entirely. It is only consumed in websocket's browser version, and is already in a try/catch and unnecssary in the browsers we support. Feel free to make that change if you would like.

@jiridanek
Copy link
Copy Markdown
Contributor Author

jiridanek commented May 7, 2026

Thanks @connor4312! That's much cleaner. Confirmed — browser.js checks globalThis first, then falls back to require('es5-ext/global') inside a try/catch, so stripping es5-ext is safe.

This is consistent with your earlier comment on #310541 noting that es5-ext is "otherwise benign/useful (though technically extraneous as it's a polyfill for older browsers we don't support anyway)."

I'll push the .moduleignore change to this PR.

@jiridanek @cursoragent
Add es5-ext to .moduleignore to exclude quarantined module
c4027af 
es5-ext (0.10.63 and 0.10.64) is quarantined by Nexus Firewall
(sonatype-2022-2248) due to undisclosed postinstall code execution.

es5-ext is only consumed in websocket's browser.js inside a
try/catch with a globalThis fallback, so it is unnecessary in
the browsers/runtimes VS Code supports. Adding it to .moduleignore
strips it from the build output entirely.

Fixes microsoft#310541

Co-authored-by: Cursor <cursoragent@cursor.com>
@jiridanek jiridanek force-pushed the fix/override-quarantined-es5-ext branch from adea003 to c4027af Compare May 7, 2026 18:59
@connor4312 connor4312 changed the title Override quarantined es5-ext with @unes/es5-ext Add es5-ext to moduleignore May 7, 2026
@connor4312 connor4312 enabled auto-merge (squash) May 7, 2026 21:01
@connor4312
Copy link
Copy Markdown
Member

connor4312 commented May 7, 2026

Ah, sorry, our CI blocks external contribs to ./build. I'll reopen this under my account to unlock

@connor4312 connor4312 mentioned this pull request May 7, 2026
Merged
auto-merge was automatically disabled May 7, 2026 21:26

Pull request was closed

@jiridanek jiridanek deleted the fix/override-quarantined-es5-ext branch May 8, 2026 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@connor4312 connor4312 connor4312 approved these changes

Assignees

@connor4312 connor4312

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Infected by JS.Siggen5.44590

3 participants

@jiridanek @connor4312