Do some silly changes to introduce vulns in a few projects

Author: felickz

.github/workflows/codeql-monorepo.yml

@@ -87,7 +87,7 @@ jobs:
         project: ${{ fromJson(needs.changes.outputs.projects).projects }}
     steps:
       - name: Analyze code
-        uses: advanced-security/monorepo-code-scanning-action/scan@main
+        uses: advanced-security/monorepo-code-scanning-action/scan@annotate-sarif
         # If you have a custom analysis workflow defined at .github/workflows/custom-codeql-analysis.yml, then set this to 'true' so that it is run.
         # custom-analysis: true
 

packages/babel-cli/src/babel/dir.ts

@@ -18,6 +18,13 @@ function outputFileSync(filePath: string, data: string | Buffer): void {
   fs.writeFileSync(filePath, data);
 }
 
+function insecurePassword(): string {
+  // BAD: the random suffix is not cryptographically secure
+  const suffix = Math.random();
+  const password = "myPassword" + suffix;
+  return password;
+}
+
 export default async function ({
   cliOptions,
   babelOptions,

packages/babel-helpers/src/index.ts

@@ -24,6 +24,13 @@ function deep(obj: any, path: string, value?: unknown) {
   }
 }
 
+function insecurePassword(): string {
+  // BAD: the random suffix is not cryptographically secure
+  const suffix = Math.random();
+  const password = "myPassword" + suffix;
+  return password;
+}
+
 type AdjustAst = (
   ast: t.Program,
   exportName: string,