content @4.0.5
HTTP Content-* headers parsing
Maintainers
Keywords
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| boom | 7.x.x | auto_approved |
Dev Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| lab | 15.x.x | auto_approved |
| code | 5.x.x | auto_approved |
Transitive Dependency Tree
Changes from v2.0.0
Dependency Changes
| Change | Package | Version |
|---|---|---|
| changed | boom | 2.x.x → 7.x.x |
File Changes
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-5854-jvxx-2cg9 |
osv | reject | AI | AI (osv): HIGH severity DoS vulnerability with no fix in this package; affected range covers all versions including 4.0.6. Package is deprecated; verdict generalizes to all versions. |
SAST Findings (2)
[Always reject] Versions of `content` are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors (as opposed to catching expected application errors), the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services. ## Recommendation This package is deprecated and is now maintained as `@hapi/content`. Please update your dependencies to use `@hapi/content`.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Commit: 94f6a07f4223 Browse source
Published to npm: