Install script: postinstall

Source: node install.js

From: package-lock.json → npm/@yao-pkg/pkg@6.14.0 → npm/esbuild@0.27.3

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: This module is a legitimate-looking build tool that downloads Node binaries, verifies checksums, generates a SEA blob from a provided entrypoint, and injects that blob into Node executables for distribution. The code itself does not contain clear malware (no data exfiltration, no hard-coded credentials, no reverse shell). However it performs high-impact actions: downloading and extracting executables, executing shell commands with interpolated, potentially unescaped paths, and injecting arbitrary blobs into binaries. These behaviors present supply-chain and command-injection risks if inputs (targets, nodePath, entryPoint, opts) or the downloaded resources are attacker-controlled or untrusted. Use requires trusting the blob generation inputs, target definitions, and the remote hosts providing Node binaries and checksums. Recommend validating and sanitizing all inputs used in shell commands and pinning trusted sources for binaries and checksums; prefer using execFile/spawn with argument arrays or proper escaping to avoid shell injection.

Confidence: 0.90

Severity: 0.60

From: package-lock.json → npm/@yao-pkg/pkg@6.14.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@yao-pkg/pkg@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code represents a thorough and sophisticated installer for esbuild with multiple fallback mechanisms to acquire platform-appropriate binaries. While largely legitimate, its use of direct tarball downloads, manual extraction without explicit integrity validation, and the override/wrapper mechanism create nontrivial supply-chain and abuse risks. Recommend enabling strict binary integrity checks (checksums/signatures), minimizing or auditing the override/wrapper feature, and implementing tighter error visibility and logging to reduce operational risk and potential misuse.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@yao-pkg/pkg@6.14.0 → npm/esbuild@0.27.3

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.