Socket.dev controversial statements

[theamericanaccount]

Hello,
yesterday I've noticed in every node package page there's a button for scanning for potential risks in a module redirecting users to 'socket.dev'.

Apparently this website suggests users my software is certainly malware because it flags the pre-built webpack exported artifacts (reproducible even) I make optionally available in the dist directory for NPM users who want to include the library in a web page directly without building the webpack themselves as a malware.

I've seen many other module packages export webpacks or binary like single file exports or even binaries in the dist directory so I guess those modules are affected by those false flags as well.

Like this flag triggers on all typescript packages as well?

So nothing I'm not sure where to report to take down those flags so here I am.

[ljharb]

It says "potential" malware. The place to report would be to socket.dev directly.

(Separately, packages shouldn't BE bundling; only apps should - by bundling in your package, you're depriving your users of maximal optimizations that their build process would perform)

[theamericanaccount]

My packages contain applications and libraries exports for the browser because Crash Javascript allows the same code to run in Node.js and in the browser without changes.
When the app is set to run in the browser environment, the browser loads the exported webpack, while Node.js loads the source files.

Users who want to build the browser version of the application and of the libraries ex novo can do so by rebuilding the package.
The webpack exports exist otherwise one can't open nor the program nor the library from a browser.

Im not depriving anybody of anything @ljharb, on the opposite.

[ljharb]

I understand how it works; I'm saying that the downsides of shipping bundles almost always outweigh the friction of requiring consumers to use a build process. Either way, that's off topic for the issue, which should be closed because it's got nothing to do with npm.

[theamericanaccount]

I don't see any downside in shipping a bundle.

If i dont ship a bundle users of my program cant simply open it with the --runtime-environment="browser" and they can only do it with --runtime-environment="node".

It's what Crash Javascript does, it makes Node.js code seamlessly run in the browser too, even terminal commands, so the Javascript console in the browser becomes a Node command line and me as a developer can debug the same program on 4 OSes + the browsers from a single place.

If an user wants to rebuild and replace the included bundle just has to rebuild the module normally.

NPM is not a from source package manager, it doesnt want users to produce machine code from source using a build process going on locally on users computers, it just extracts whatever the author has included in the archive.

The bundle is not attached by me manually but its generated by the build process and it's reproducible.

I'm following all common sense and best practices a software maintainer can stick to.

[theamericanaccount]

@ljharb also i am sorry, but have i got it right?

the fact the website linked on all NPM packages false flags as a "potential security risk" all those including a webpack bundle is not an NPM issue?

I think NPM should either forbid all packages to add any binaries to modules or remove those buttons which redirect to defamatory statements by a low bar, low effort company which doesnt have available a tool to check for bundles safety.

Or I dont know, add an huge "tell socket.dev their tool doesnt work well" button just below the "potential security risks" button.

[ljharb]

Yes - it's an external link. npm has nothing to do with any of those links, and so if you have issues with the content on them, you'd need to report it to that site directly.

"Potential malware" is not defamatory; it's just an indicator.

[theamericanaccount]

Something is potential when it's possible.
It's not possible there may be malware in my software because attaching malware to a software is a grave crime in my country as well as many others for which one is sentenced to very long jail time so those statements are defamatory because they are false and suggest I may be a criminal.

[theamericanaccount]

'Socket.dev' only seems to have available an email to report issues so I'm makirg my corresponce with them public and available on here for all developers to be able to follow what's gonna happen if they dont like NPM defaming them through a third party.

.

[theamericanaccount]

It looks like this very serious company has disabled traffic from yahoo mail.
Pretty surreal.
I'm not going to write to them from a different email address as it's insulting to say the least

.