I have been unable to find any additional info on these advisories that showed up when I ran npm audit.
Since mattermost-webapp is supposed to be used from the monorepo, I tried to use that (which was a pain because npm doesn’t support subpackages and GitPkg couldn’t handle the repos).
What’s going on here? Why is github flagging mattermost as malware?
Those are false positives, unfortunately. Those are internal package names that we have set in the package.json to pull directly from our GitHub repo. Since we never intended to publish them to NPM, someone else went and published malware to NPM under the same names at some point which causes them to show up as malware in audit reports. They’re totally safe though as long as they’re coming from our git repo (ie their dependency version in the package.json starts with git:mattermost/...).
I didn’t realize that the monorepo depends on mattermost-webapp as a git dependency though. Since that lives in the same repo, we shouldn’t be downloading that as an extra dependency. eslint-plugin-mattermost does still need a rename though as long as it lives outside the monorepo though