comb @1.2.0
A framework for node
Maintainers
Keywords
Dev Dependencies (9)
| Package | Constraint | Registry Status |
|---|---|---|
| it | ^1.1.0 | auto_approved |
| grunt | ^0.4.5 | rejected |
| grunt-it | ^1.0.0 | Not imported |
| istanbul | ^0.4.1 | auto_approved |
| coveralls | ^2.11.4 | auto_approved |
| jit-grunt | ^0.9.1 | No greenflagged match |
| grunt-exec | ^0.4.6 | No greenflagged match |
| time-grunt | ^1.2.2 | No greenflagged match |
| grunt-contrib-jshint | ^0.11.3 | auto_approved |
Changes from v0.4.1
No metadata changes detected.
File Changes
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-vxr4-rxw7-g7v6 |
osv | reject | AI | AI (osv): Prototype Pollution vulnerability affects all versions <= 2.0.0 with no fix available. Verdict generalizes to every published version of this package. |
SAST Findings (3)
[Always reject] CVSS 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L All versions of package comb are vulnerable to Prototype Pollution via the `deepMerge()` function.
This version was published by a different npm account than previous versions on 2017-12-05. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 78. Findings: 1 critical (+40), 1 high (+25), 1 medium (+10), 1 low (+3).
Commit: 731e3d946abd Browse source
Published to npm: