islamic-icons 1.1.7 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +3 -1
  2. package/SECURITY.md +43 -0
  3. package/package.json +11 -2
package/README.md CHANGED
@@ -14,6 +14,8 @@ pnpm add islamic-icons
14
14
 
15
15
  **Requirements:** Node.js >= 18, React 16.8+ (web); for React Native / Expo, also install `react-native-svg` and use the `/native` entry (see below).
16
16
 
17
+ Security and supply-chain: this package has **no production dependencies**; only peer deps (React, react-native-svg). For Socket.dev and similar alerts, see [SECURITY.md](SECURITY.md).
18
+
17
19
  | Environment | Import from |
18
20
  |--------------------|--------------------------|
19
21
  | Web (React DOM) | `'islamic-icons'` |
@@ -84,7 +86,7 @@ When neither `aria-label` nor `title` is set, icons get `aria-hidden="true"` so
84
86
  - **Direction** – Qibla
85
87
  - **Phrases** – Bismillah, Alhamdulillah, etc. (as SVGs)
86
88
 
87
- More icons are added over time. Run the demo or Storybook to see what’s available.
89
+ More icons are added over time. Run the documentation site (`npm run docs`, then open http://localhost:5174), the demo, or Storybook to see what’s available.
88
90
 
89
91
  ## React Native / Expo
90
92
 
package/SECURITY.md ADDED
@@ -0,0 +1,43 @@
1
+ # Security & Socket.dev Alerts
2
+
3
+ ## Published package surface
4
+
5
+ **`islamic-icons` has zero production dependencies.** When users install the package, they only receive:
6
+
7
+ - Built icon components in `dist/web` and `dist/native`
8
+ - Peer dependencies: `react`, `react-dom` (optional), `react-native-svg` (optional)
9
+
10
+ So **none of the Socket alerts affect the code that runs in your app** when you use this library. The alerts come from the **development and build dependency tree** (Vite, Storybook, Babel, ESLint, jimp, sharp, SVGO, etc.), which is not published to npm.
11
+
12
+ ## Why Socket shows so many alerts
13
+
14
+ Socket (and similar tools) analyze the **entire dependency tree** of the repository, including **devDependencies**. In this project, that includes:
15
+
16
+ - **Build/tooling**: Vite, Babel, TypeScript, vite-plugin-dts, Storybook
17
+ - **Image/icon tooling**: jimp, potrace, sharp, SVGO (used for scripts like `generate:icons`, `optimize:svgs`, `png-to-svg`)
18
+
19
+ Those tools commonly trigger alerts such as:
20
+
21
+ | Alert | Why it appears |
22
+ |-------|----------------|
23
+ | **Uses eval** | Bundlers and transpilers (e.g. Babel, Vite) use `eval` or dynamic code execution. |
24
+ | **Shell access** | Build scripts and dev tools (e.g. Storybook, Vite) run shell commands. |
25
+ | **Network access** | Dev server, hot reload, and some plugins use the network. |
26
+ | **Filesystem access** | Build and file-watching tools read/write files. |
27
+ | **Environment variable access** | Config and env loading (e.g. `NODE_ENV`, `.env`). |
28
+ | **Obfuscated / minified code** | Some dependencies ship minified or bundled code. |
29
+ | **Deprecated / Unmaintained** | Transitive devDependencies that are old or deprecated. |
30
+ | **URL strings** | In this repo: standard SVG `xmlns="http://www.w3.org/2000/svg"` and lockfile registry URLs; no runtime URL fetching in published code. |
31
+
32
+ So the alerts are expected for a project that uses modern JS tooling and do **not** indicate malicious behavior in the published package.
33
+
34
+ ## Known CVEs (devDependencies only)
35
+
36
+ `npm audit` may report vulnerabilities in **devDependencies** (e.g. jimp → file-type/phin, vite-plugin-dts → minimatch, vue-template-compiler). These do **not** run in production for consumers of `islamic-icons`. To reduce dev risk:
37
+
38
+ 1. Run `npm audit` and apply safe fixes: `npm audit fix`.
39
+ 2. For remaining issues, consider upgrading or replacing dev-only packages when convenient (e.g. upgrading `jimp` or `vite-plugin-dts` when compatible).
40
+
41
+ ## Reporting security issues
42
+
43
+ If you find a security issue in the **published** code (e.g. in `dist/` or in how the library is consumed), please report it responsibly (e.g. via the repository’s issue tracker or a private channel if the project provides one).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "islamic-icons",
3
- "version": "1.1.7",
3
+ "version": "2.0.0",
4
4
  "description": "Tree-shakeable React component library of Islamic SVG icons",
5
5
  "type": "module",
6
6
  "main": "./dist/web/index.cjs",
@@ -31,7 +31,8 @@
31
31
  "dist/native",
32
32
  "README.md",
33
33
  "MIGRATION.md",
34
- "LICENSE"
34
+ "LICENSE",
35
+ "SECURITY.md"
35
36
  ],
36
37
  "sideEffects": false,
37
38
  "engines": {
@@ -56,6 +57,11 @@
56
57
  "png-to-svg": "node scripts/png-to-svg.mjs",
57
58
  "storybook": "storybook dev -p 6006",
58
59
  "build-storybook": "storybook build",
60
+ "docs": "node scripts/generate-docs-manifest.mjs && cd docs && npm run dev",
61
+ "docs:build": "node scripts/generate-docs-manifest.mjs && cd docs && npm run build",
62
+ "docs:copy-to-alkarartech": "node scripts/copy-docs-to-alkarartech.mjs",
63
+ "docs:deploy-local": "npm run docs:build && npm run docs:copy-to-alkarartech",
64
+ "generate:docs-manifest": "node scripts/generate-docs-manifest.mjs",
59
65
  "typecheck": "tsc --noEmit",
60
66
  "lint": "eslint src --ext .ts,.tsx"
61
67
  },
@@ -117,5 +123,8 @@
117
123
  "repository": {
118
124
  "type": "git",
119
125
  "url": ""
126
+ },
127
+ "overrides": {
128
+ "minimatch": "^9.0.5"
120
129
  }
121
130
  }