Malware in dependency lib

[m-s-c-h]

👓 What did you see?

Cucumber has a dependency to the es5-ext library (@cucumber/cucumber -> duration -> d -> es5-ext).
Since march 2022, the es5-ext library contains a malware defined as protestware.
Issue 186 has been filed for the library es5-ext but is still open.

✅ What did you expect to see?

Dependencies free of malware / protestware.
If bound to policies that prohibit any kind of malware and protestware, you are in trouble.

📦 Which tool/library version are you using?

Cucumber 8.3.1

🔬 How could we reproduce it?

Steps to reproduce the behavior:

1. Install Cucumber version 8.3.1
2. After npm install see file _postinstall.js in node_module/es5-ext folder

📚 Any additional context?

[davidjgoss]

Thanks for raising @m-s-c-h. It’s a tricky one in terms of policy as (speaking only for myself) I support the principle but it’s not the way I would choose to communicate.

However we can neatly skirt the issue because I’m planning on refactoring out the durations library anyway. I’ll use this issue as a vehicle for that.

cc @mattwynne for visibility

[unional]

If you want a remedy to the problem, you can use the overrides mechanism of your package manager of choice.

I have created a video to describe what you need to do: https://youtu.be/dh9UUqsJLok

[m-s-c-h]

Many thanks @davidjgoss and @unional!!! In the short run, the override mechanism helps us. And the refactoring sounds great for the long run.