[email protected] rejected Risk: 98 BSD-3-Clause 2024-01-06

content @3.1.2

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

BSD-3-Clause

License

Install Scripts

Dependencies

Dev Dependencies

2.2 KB

Package Size

2024-01-06

Published

HTTP Content-* headers parsing

Maintainers

nargonathdevinivymarsupnlf

Keywords

HTTPheadercontentcontent-typecontent-disposition

Dependencies (1)

Package	Constraint	Registry Status
boom	5.x.x	auto_approved

Dev Dependencies (2)

Package	Constraint	Registry Status
lab	14.x.x	auto_approved
code	4.x.x	auto_approved

Transitive Dependency Tree

2 transitive deps max depth 2

├─ boom 5.x.x → 5.3.3

├─ hoek 4.x.x → 4.3.1

Changes from v2.0.0

Dependency Changes

Change	Package	Version
changed	boom	2.x.x → 5.x.x

Script Changes

- test-tap

License Changed

BSD-3-Clause → SEE LICENSE IN LICENSE.md

File Changes

1 added 4 removed 4 modified size delta: -7.8 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-5854-jvxx-2cg9`	osv	reject	AI	AI (osv): HIGH severity DoS vulnerability with no fix in this package; affected range covers all versions including 4.0.6. Package is deprecated; verdict generalizes to all versions.

SAST Findings (3)

CRITICAL GHSA-5854-jvxx-2cg9: Denial of Service in content osv

[Always reject] Versions of `content` are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors (as opposed to catching expected application errors), the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services. ## Recommendation This package is deprecated and is now maintained as `@hapi/content`. Please update your dependencies to use `@hapi/content`.

HIGH Publisher changed: hueniverse → nargonath (on 2024-01-06) provenance

This version was published by a different npm account than previous versions on 2024-01-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 98. Findings: 1 critical (+40), 1 high (+25), 3 medium (+30), 1 low (+3), 1 info (+0).

Commit: dfbb048373a9 Browse source

Published to npm: 2024-01-06