I'm using the @custom-elements-manifest/analyzer package but I can't currently install it in my CI because the team uses a JFrog Xray scan that detects a malicious package (@ext-scoped/with-export-map) inside.

https://socket.dev/npm/package/@ext-scoped/with-export-map

I'm not sure why it does that, because as far as I can see it is not a real dependecy in the project but rather just a string in the fixtures directory. But it is inside a package.json and therefore might seem legit.

I think there are two possible solutions to the problem. Rename the fake dependency to something different or exclude the fixtures directory from the bundle. Would any one of the solutions be possible to be implemented?