-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsocket.yml
More file actions
27 lines (26 loc) · 1.22 KB
/
socket.yml
File metadata and controls
27 lines (26 loc) · 1.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
version: 2
# bytekit publishes ONLY dist/ + bin/ with zero runtime dependencies.
# ALL vulnerabilities listed below are in devDependencies (build/test/lint tooling)
# and will NEVER reach consumers of the bytekit npm package.
#
# urlStrings: TypeScript's bundled lib.d.ts files reference MDN/W3C documentation
# URLs as spec comments — not runtime outbound connections.
# bytekit's own source URLs have been replaced with localhost examples.
#
# licenseNonPermissive: Reported against typescript@x because its lib.d.ts files
# include W3C specification text (LicenseRef-W3C-Community-Final-Specification-Agreement).
# bytekit has zero runtime dependencies and does not ship TypeScript code.
#
# obfuscatedCode: vite, markdown-it, and entities ship minified/bundled builds
# (legitimate build optimisation). Socket.dev's heuristic incorrectly flags
# minified npm tools as "obfuscated". These are well-known, widely audited packages.
#
# newAuthor: path-to-regexp publisher change is irrelevant — bytekit does not
# depend on path-to-regexp directly or transitively at runtime.
issueRules:
urlStrings: false
nonpermissiveLicense: false
obfuscatedFile: false
newAuthor: false
deprecated: false
licenseException: false