Hi! Was setting this up for a Bun monorepo (1.3.11, free mode, no API key) and noticed every warning came back with an empty description — just the package name and URL with a blank gap where the reason should be. Looks like a small field-name mismatch.
src/index.ts reads description text from two fields:
if (alert.props.description) { description.push(alert.props.description) }
if (alert.props.note) { description.push(alert.props.note) }But the unauthenticated firewall API (https://firewall-api.socket.dev/purl/<purl>) returns the explanation under alert.props.notes (plural). Raw response I got for @infisical/cli@0.43.78:
{
"alerts": [{
"type": "gptMalware",
"props": {
"notes": "The immediate red flag is the preinstall script which executes local JavaScript during npm install. Without inspecting src/index.cjs, you cannot determine whether it is malicious...",
"severity": 0.9,
"confidence": 0.8
},
"action": "warn"
}]
}Neither description nor note is populated, so nothing gets appended and the install output is just WARNING: pkg:npm/<...> with a URL on the next line.
In TTY this is workable (open the URL, read the alert on socket.dev). In non-TTY installs Bun aborts and the only signal in the log is the package name, which makes triage during PR review awkward — especially when the actual reason ("preinstall script flagged by gptMalware AI") is sitting right there in the response, just under a different field name than the consumer code is looking at.
Easy fix would be adding alert.props.notes to the description join (or renaming note → notes if the singular was the bug). Happy to send a PR if that's the right shape — or if there's a reason the singular form is canonical and the API is wrong, let me know.
Hi! Was setting this up for a Bun monorepo (1.3.11, free mode, no API key) and noticed every warning came back with an empty description — just the package name and URL with a blank gap where the reason should be. Looks like a small field-name mismatch.
src/index.tsreads description text from two fields:But the unauthenticated firewall API (
https://firewall-api.socket.dev/purl/<purl>) returns the explanation underalert.props.notes(plural). Raw response I got for@infisical/cli@0.43.78:{ "alerts": [{ "type": "gptMalware", "props": { "notes": "The immediate red flag is the preinstall script which executes local JavaScript during npm install. Without inspecting src/index.cjs, you cannot determine whether it is malicious...", "severity": 0.9, "confidence": 0.8 }, "action": "warn" }] }Neither
descriptionnornoteis populated, so nothing gets appended and the install output is justWARNING: pkg:npm/<...>with a URL on the next line.In TTY this is workable (open the URL, read the alert on socket.dev). In non-TTY installs Bun aborts and the only signal in the log is the package name, which makes triage during PR review awkward — especially when the actual reason ("preinstall script flagged by gptMalware AI") is sitting right there in the response, just under a different field name than the consumer code is looking at.
Easy fix would be adding
alert.props.notesto the description join (or renamingnote→notesif the singular was the bug). Happy to send a PR if that's the right shape — or if there's a reason the singular form is canonical and the API is wrong, let me know.