Cortex XDR flags dependency as malware

[joshleblanc]

🐛 Bug Report

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io
• I have read the console error message carefully (if applicable)

Description

Not really a bug - but if you install the latest version of Docusaurus and follow that up with yarn install, Cortex XDR flags one of your dependencies as a trojan.

Steps to reproduce

1. run `npm init docusuaurs@latest [name] classic
2. run yarn install

Expected behavior

The install to work

Actual behavior

Anti-virus throws a fit

Your environment

• Public source code: https://github.com/joshleblanc/crayta-docs
• Docusaurus version used: 2.0.0-beta.8
• Environment name and version (e.g. Chrome 78.0.3904.108, Node.js 10.17.0): Node v14.17.0
• Operating system and version (e.g. Ubuntu 20.04.2 LTS): Windows 10 Pro 21H1

[Josh-Cena]

#5769 Really surprised to see it still in effect

[joshleblanc]

@Josh-Cena That's my mistake. This happened on the 22nd, I'm only just getting around to reporting it now.

Looks like this is already resolved.

[slorber]

@joshleblanc here's a good overview of the problem: https://blog.expo.dev/ua-parser-js-and-malicious-npm-packages-8c13ee4141a

Was wondering, if you run yarn install again, does it still contain the malicious package? Is your lockfile updated after a re-install?