[email protected] rejected Risk: 40 MIT 2014-01-29

cookie-signature @1.0.3

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

1.9 KB

Package Size

2014-01-29

Published

Sign and unsign cookies

Maintainers

tjholowaychuk

Keywords

cookiesignunsign

Dev Dependencies (2)

Package	Constraint	Registry Status
mocha	*	auto_approved
should	*	auto_approved

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-92vm-wfm5-mxvv`	osv	reject	AI	AI (osv): Timing attack vulnerability fixed in 1.0.4; all versions below that threshold should be rejected.

SAST Findings (2)

MEDIUM GHSA-92vm-wfm5-mxvv: cookie-signature Timing Attack osv

CVSS 4.4 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Affected versions of `cookie-signature` are vulnerable to timing attacks as a result of using a fail-early comparison instead of a constant-time comparison. Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on the correctness of a guess via miniscule timing differences. Under favorable network conditions, an attacker can exploit this to guess the secret in no more than `charset*length` guesses, instead of `charset^length` guesses required were the timing attack not present. ## Recommendation Update to 1.0.4 or later.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 40. Findings: 1 critical (+40), 1 info (+0).

Published to npm: 2014-01-29