braces @2.3.2
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
43
Risk Score
MIT
License
No
Install Scripts
10
Dependencies
17
Dev Dependencies
17.1 KB
Package Size
Published
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Maintainers
doowbes128jonschlinkert
Keywords
alphaalphabeticalbashbracebracesexpandexpansionfilepathfillfsglobglobbinglettermatchmatchesmatchingnumbernumericalpathrangerangessh
Dependencies (10)
| Package | Constraint | Registry Status |
|---|---|---|
| isobject | ^3.0.1 | auto_approved |
| to-regex | ^3.0.1 | auto_approved |
| fill-range | ^4.0.0 | auto_approved |
| snapdragon | ^0.8.1 | auto_approved |
| arr-flatten | ^1.1.0 | auto_approved |
| array-unique | ^0.3.2 | auto_approved |
| split-string | ^3.0.2 | auto_approved |
| extend-shallow | ^2.0.1 | No greenflagged match |
| repeat-element | ^1.1.2 | auto_approved |
| snapdragon-node | ^2.0.1 | auto_approved |
Dev Dependencies (17)
| Package | Constraint | Registry Status |
|---|---|---|
| gulp | ^3.9.1 | No greenflagged match |
| mocha | ^3.2.0 | auto_approved |
| ansi-cyan | ^0.1.1 | auto_approved |
| minimatch | ^3.0.4 | auto_approved |
| time-diff | ^0.3.1 | auto_approved |
| gulp-mocha | ^3.0.1 | No greenflagged match |
| is-windows | ^1.0.1 | auto_approved |
| text-table | ^0.2.0 | auto_approved |
| benchmarked | ^2.0.0 | auto_approved |
| cross-spawn | ^5.1.0 | No greenflagged match |
| gulp-eslint | ^4.0.0 | No greenflagged match |
| gulp-unused | ^0.2.1 | Not imported |
| yargs-parser | ^8.0.0 | No greenflagged match |
| gulp-istanbul | ^1.1.2 | Not imported |
| noncharacters | ^1.1.0 | auto_approved |
| gulp-format-md | ^1.0.0 | auto_approved |
| brace-expansion | ^1.1.8 | auto_approved |
Transitive Dependency Tree
52 transitive deps
max depth 10
├─
arr-flatten
^1.1.0
→ 1.1.0
├─
array-unique
^0.3.2
→ 0.3.2
├─
extend-shallow
^2.0.1
├─
fill-range
^4.0.0
→ 4.0.0
├─
isobject
^3.0.1
→ 3.0.1
├─
repeat-element
^1.1.2
→ 1.1.4
├─
snapdragon
^0.8.1
→ 0.8.2
├─
snapdragon-node
^2.0.1
→ 2.1.1
├─
split-string
^3.0.2
→ 3.1.0
├─
to-regex
^3.0.1
→ 3.0.2
├─
base
^0.11.1
→ 0.11.2
├─
debug
^2.2.0
├─
define-property
^1.0.0
→ 1.0.0
├─
define-property
^2.0.2
→ 2.0.2
├─
define-property
^0.2.5
→ 0.2.5
├─
extend-shallow
^3.0.2
→ 3.0.2
├─
extend-shallow
^2.0.1
├─
extend-shallow
^3.0.0
→ 3.0.2
├─
is-number
^3.0.0
→ 3.0.0
├─
isobject
^3.0.0
→ 3.0.1
├─
map-cache
^0.2.2
→ 0.2.2
├─
regex-not
^1.0.2
→ 1.0.2
├─
repeat-string
^1.6.1
→ 1.6.1
├─
safe-regex
^1.1.0
→ 1.1.0
├─
snapdragon-util
^3.0.1
→ 3.0.1
├─
source-map
^0.5.6
→ 0.5.7
├─
source-map-resolve
^0.5.0
├─
to-regex-range
^2.1.0
├─
use
^3.1.0
→ 3.1.1
├─
assign-symbols
^1.0.0
├─
cache-base
^1.0.1
→ 1.0.1
├─
class-utils
^0.3.5
→ 0.3.6
├─
component-emitter
^1.2.1
→ 1.3.1
├─
define-property
^1.0.0
→ 1.0.0
├─
extend-shallow
^3.0.2
→ 3.0.2
├─
is-descriptor
^0.1.0
→ 0.1.8
├─
is-descriptor
^1.0.0
→ 1.0.4
├─
is-descriptor
^1.0.2
→ 1.0.4
├─
is-extendable
^1.0.1
→ 1.0.1
├─
isobject
^3.0.1
→ 3.0.1
├─
kind-of
^3.0.2
→ 3.2.2
├─
kind-of
^3.2.0
→ 3.2.2
├─
mixin-deep
^1.2.0
→ 1.3.2
├─
pascalcase
^0.1.1
→ 0.1.1
├─
ret
~0.1.10
→ 0.1.15
├─
safe-regex
^1.1.0
→ 1.1.0
├─
arr-union
^3.1.0
→ 3.1.0
├─
assign-symbols
^1.0.0
├─
collection-visit
^1.0.0
→ 1.0.0
├─
component-emitter
^1.2.1
→ 1.3.1
├─
define-property
^0.2.5
→ 0.2.5
├─
for-in
^1.0.2
→ 1.0.2
├─
get-value
^2.0.6
→ 2.0.6
├─
has-value
^1.0.0
→ 1.0.0
├─
is-accessor-descriptor
^1.0.2
├─
is-accessor-descriptor
^1.0.1
├─
is-buffer
^1.1.5
→ 1.1.6
├─
is-data-descriptor
^1.0.1
├─
is-descriptor
^1.0.0
→ 1.0.4
├─
is-extendable
^1.0.1
→ 1.0.1
├─
is-plain-object
^2.0.4
→ 2.0.4
├─
isobject
^3.0.1
→ 3.0.1
├─
isobject
^3.0.0
→ 3.0.1
├─
ret
~0.1.10
→ 0.1.15
├─
set-value
^2.0.0
→ 2.0.1
├─
static-extend
^0.1.1
→ 0.1.2
├─
to-object-path
^0.3.0
→ 0.3.0
├─
union-value
^1.0.0
→ 1.0.1
├─
unset-value
^1.0.0
→ 1.0.0
├─
arr-union
^3.1.0
→ 3.1.0
├─
define-property
^0.2.5
→ 0.2.5
├─
extend-shallow
^2.0.1
├─
get-value
^2.0.6
→ 2.0.6
├─
has-value
^0.3.1
→ 0.3.1
├─
has-values
^1.0.0
→ 1.0.0
├─
is-accessor-descriptor
^1.0.2
├─
is-data-descriptor
^1.0.1
├─
is-descriptor
^0.1.0
→ 0.1.8
├─
is-extendable
^0.1.1
├─
is-plain-object
^2.0.4
→ 2.0.4
├─
is-plain-object
^2.0.3
→ 2.0.4
├─
isobject
^3.0.1
→ 3.0.1
├─
isobject
^3.0.0
→ 3.0.1
├─
kind-of
^3.0.2
→ 3.2.2
├─
map-visit
^1.0.0
→ 1.0.0
├─
object-copy
^0.1.0
→ 0.1.0
├─
object-visit
^1.0.0
→ 1.0.1
├─
set-value
^2.0.1
→ 2.0.1
├─
split-string
^3.0.1
→ 3.1.0
├─
copy-descriptor
^0.1.0
→ 0.1.1
├─
define-property
^0.2.5
→ 0.2.5
├─
extend-shallow
^3.0.0
→ 3.0.2
├─
extend-shallow
^2.0.1
├─
get-value
^2.0.3
→ 2.0.6
├─
has-values
^0.1.4
→ 0.1.4
├─
is-accessor-descriptor
^1.0.1
├─
is-buffer
^1.1.5
→ 1.1.6
├─
is-data-descriptor
^1.0.1
├─
is-descriptor
^0.1.0
→ 0.1.8
├─
is-extendable
^0.1.1
├─
is-number
^3.0.0
→ 3.0.0
├─
is-plain-object
^2.0.3
→ 2.0.4
├─
isobject
^3.0.1
→ 3.0.1
├─
isobject
^2.0.0
├─
isobject
^3.0.0
→ 3.0.1
├─
kind-of
^3.0.3
→ 3.2.2
├─
kind-of
^4.0.0
→ 4.0.0
├─
object-visit
^1.0.0
→ 1.0.1
├─
split-string
^3.0.1
→ 3.1.0
├─
assign-symbols
^1.0.0
├─
extend-shallow
^3.0.0
→ 3.0.2
├─
is-accessor-descriptor
^1.0.1
├─
is-buffer
^1.1.5
→ 1.1.6
├─
is-data-descriptor
^1.0.1
├─
is-descriptor
^0.1.0
→ 0.1.8
├─
is-extendable
^1.0.1
→ 1.0.1
├─
isobject
^3.0.1
→ 3.0.1
├─
isobject
^3.0.0
→ 3.0.1
├─
kind-of
^3.0.2
→ 3.2.2
├─
assign-symbols
^1.0.0
├─
is-accessor-descriptor
^1.0.1
├─
is-buffer
^1.1.5
→ 1.1.6
├─
is-data-descriptor
^1.0.1
├─
is-extendable
^1.0.1
→ 1.0.1
├─
is-plain-object
^2.0.4
→ 2.0.4
├─
is-plain-object
^2.0.4
→ 2.0.4
├─
isobject
^3.0.1
→ 3.0.1
├─
isobject
^3.0.1
→ 3.0.1
Changes from v1.8.5
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | isobject | ^3.0.1 |
| added | to-regex | ^3.0.1 |
| added | fill-range | ^4.0.0 |
| added | snapdragon | ^0.8.1 |
| added | arr-flatten | ^1.1.0 |
| added | array-unique | ^0.3.2 |
| added | split-string | ^3.0.2 |
| added | extend-shallow | ^2.0.1 |
| added | snapdragon-node | ^2.0.1 |
| removed | preserve | ^0.2.0 |
| removed | expand-range | ^1.8.1 |
Script Changes
+ benchmarkFile Changes
4 added
0 removed
4 modified
size delta: +41.9 KB
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-grv7-fg5c-xmjg |
osv | reject | AI | AI (osv): Advisory affects all braces versions < 3.0.3; this version (2.1.0) is permanently in the affected range. |
SAST Findings (2)
HIGH
GHSA-grv7-fg5c-xmjg: Uncontrolled resource consumption in braces
osv
CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Commit: 8a3edbb31955 Browse source
Published to npm: