bower @0.9.2
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
63
Risk Score
MIT
License
No
Install Scripts
21
Dependencies
2
Dev Dependencies
173.0 KB
Package Size
Published
The browser package manager
Maintainers
fatsatazor
Dependencies (21)
| Package | Constraint | Registry Status |
|---|---|---|
| rc | ~0.0.6 | auto_approved |
| tar | ~0.1.13 | auto_approved |
| tmp | ~0.0.17 | No greenflagged match |
| glob | ~3.1.14 | auto_approved |
| nopt | ~2.0.0 | auto_approved |
| archy | ~0.0.2 | auto_approved |
| async | ~0.2.5 | auto_approved |
| unzip | 0.1.7 | auto_approved |
| abbrev | ~1.0.4 | No greenflagged match |
| colors | ~0.6.0-1 | auto_approved |
| lodash | ~1.0.1 | No greenflagged match |
| mkdirp | ~0.3.4 | auto_approved |
| rimraf | ~2.0.3 | auto_approved |
| semver | ~1.1.0 | No greenflagged match |
| stable | ~0.1.2 | auto_approved |
| fstream | ~0.1.19 | No greenflagged match |
| request | ~2.11.4 | No greenflagged match |
| hogan.js | ~2.0.0 | No greenflagged match |
| promptly | ~0.1.0 | auto_approved |
| update-notifier | ~0.1.3 | No greenflagged match |
| read-package-json | ~0.1.8 | auto_approved |
Dev Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| nock | ~0.17.3 | No greenflagged match |
| mocha | ~1.8.1 | auto_approved |
Transitive Dependency Tree
47 transitive deps
max depth 5
├─
abbrev
~1.0.4
├─
archy
~0.0.2
→ 0.0.2
├─
async
~0.2.5
→ 0.2.10
├─
colors
~0.6.0-1
→ 0.6.2
├─
fstream
~0.1.19
├─
glob
~3.1.14
→ 3.1.21
├─
hogan.js
~2.0.0
├─
lodash
~1.0.1
├─
mkdirp
~0.3.4
→ 0.3.5
├─
nopt
~2.0.0
→ 2.0.0
├─
promptly
~0.1.0
→ 0.1.0
├─
rc
~0.0.6
→ 0.0.8
├─
read-package-json
~0.1.8
→ 0.1.13
├─
request
~2.11.4
├─
rimraf
~2.0.3
→ 2.0.3
├─
semver
~1.1.0
├─
stable
~0.1.2
→ 0.1.8
├─
tar
~0.1.13
→ 0.1.20
├─
tmp
~0.0.17
├─
unzip
0.1.7
→ 0.1.7
├─
update-notifier
~0.1.3
├─
abbrev
1
├─
binary
~0.3.0
→ 0.3.0
├─
block-stream
*
→ 0.0.9
├─
config-chain
~0.3
├─
fstream
~0.1.28
→ 0.1.31
├─
fstream
~0.1.21
→ 0.1.31
├─
glob
~3.1.9
→ 3.1.21
├─
graceful-fs
~1.2.0
→ 1.2.3
├─
graceful-fs
~1.2
→ 1.2.3
├─
graceful-fs
~1.1
→ 1.1.14
├─
inherits
2
→ 2.0.4
├─
inherits
1
→ 1.0.2
├─
lru-cache
~2.0.0
→ 2.0.4
├─
match-stream
0.0.1
→ 0.0.1
├─
minimatch
~0.2.11
├─
npmlog
0
→ 0.1.1
├─
optimist
~0.3.4
→ 0.3.7
├─
pullstream
~0.4.0
→ 0.4.1
├─
read
~1.0.4
→ 1.0.7
├─
readable-stream
~1.0.0
→ 1.0.34
├─
semver
1.x
→ 1.0.3
├─
setimmediate
~1.0.1
→ 1.0.4
├─
slide
~1.1.3
→ 1.1.6
├─
ansi
~0.3.0
→ 0.3.1
├─
buffers
~0.1.1
→ 0.1.1
├─
chainsaw
~0.1.0
→ 0.1.0
├─
core-util-is
~1.0.0
→ 1.0.3
├─
graceful-fs
~1.2.0
→ 1.2.3
├─
inherits
~2.0.0
→ 2.0.4
├─
inherits
1
→ 1.0.2
├─
inherits
~2.0.1
→ 2.0.4
├─
isarray
0.0.1
├─
minimatch
~0.2.11
├─
mute-stream
~0.0.4
→ 0.0.8
├─
over
>= 0.0.5 < 1
→ 0.0.5
├─
readable-stream
~1.0.31
→ 1.0.34
├─
readable-stream
~1.0.0
→ 1.0.34
├─
setimmediate
>= 1.0.2 < 2
→ 1.0.5
├─
slice-stream
>= 1.0.0 < 2
→ 1.0.0
├─
string_decoder
~0.10.x
→ 0.10.31
├─
wordwrap
~0.0.2
→ 0.0.2
├─
core-util-is
~1.0.0
→ 1.0.3
├─
inherits
~2.0.1
→ 2.0.4
├─
isarray
0.0.1
├─
readable-stream
~1.0.31
→ 1.0.34
├─
string_decoder
~0.10.x
→ 0.10.31
├─
traverse
>=0.3.0 <0.4
→ 0.3.9
├─
core-util-is
~1.0.0
→ 1.0.3
├─
inherits
~2.0.1
→ 2.0.4
├─
isarray
0.0.1
├─
string_decoder
~0.10.x
→ 0.10.31
Risk Dispositions (1 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-p6mr-pxg4-68hx |
osv | reject | AI | AI (osv): Symlink arbitrary file overwrite affects all bower versions < 1.8.8; this advisory generalizes to all versions in the affected range and should block them automatically. |
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
obfuscated-file:bower_components/kurento-jsonrpc/js/kurento-jsonrpc.js |
source-diff | reject | AI | AI (source-diff): Bundled kurento-jsonrpc bower_components have no legitimate place in bower releases; presence of unrelated minified third-party library is a strong supply chain compromise indicator. |
SAST Findings (2)
CRITICAL
GHSA-p6mr-pxg4-68hx: Symlink Arbitrary File Overwrite in bower
osv
[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Versions of `bower` prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because `bower` does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory. ## Recommendation Update to version 1.8.8 or later
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 63. Findings: 1 critical (+40), 2 medium (+20), 1 low (+3), 3 info (+0).
Published to npm: