All core-js versions

[email protected] rejected Risk: 100 MIT

core-js @2.6.9

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
No
Install Scripts
0
Dependencies
23
Dev Dependencies
600.9 KB
Package Size
Published

Standard library

Maintainers

zloirock

Keywords

ES3ES5ES6ES7ES2015ES2016ES2017ECMAScript 3ECMAScript 5ECMAScript 6ECMAScript 7ECMAScript 2015ECMAScript 2016ECMAScript 2017HarmonyStrawmanMapSetWeakMapWeakSetPromiseSymbolTypedArraysetImmediateDictpolyfillshim

Dev Dependencies (23)

PackageConstraintRegistry Status
temp ^0.8.3 auto_approved
grunt ^1.0.2 auto_approved
karma ^2.0.0 auto_approved
qunit 2.6.x No greenflagged match
eslint 4.19.x auto_approved
webpack ^3.11.0 auto_approved
grunt-cli ^1.2.0 auto_approved
LiveScript 1.3.x auto_approved
grunt-karma ^2.0.0 Not imported
karma-qunit ^2.1.0 Not imported
grunt-livescript 0.6.x Not imported
karma-ie-launcher ^1.0.0 auto_approved
grunt-contrib-copy ^1.0.0 auto_approved
phantomjs-prebuilt 2.1.x auto_approved
es-observable-tests 0.2.x Not imported
grunt-contrib-clean ^1.1.0 auto_approved
grunt-contrib-watch ^1.0.0 auto_approved
eslint-plugin-import 2.12.x auto_approved
grunt-contrib-uglify 3.3.x auto_approved
promises-aplus-tests ^2.1.2 auto_approved
karma-chrome-launcher ^2.2.0 auto_approved
karma-firefox-launcher ^1.0.1 auto_approved
karma-phantomjs-launcher 1.0.x auto_approved

Changes from v2.5.7

Dependency Changes

Script Changes

+ postinstall

File Changes

16 added 0 removed 46 modified size delta: +76.2 KB

SAST Findings (5)

CRITICAL shady-links-exfil-services: client/core.js:6385 semgrep

URL pointing to known exfiltration/tunneling service Source: https://github.com/zloirock/core-js/blob/6a3fe85136aaae0e3b099c96a05a5ceb1f515a50/client/core.js#L6385 6383 | // but for some reason `nativeSlice.call(result, 1, result.length)` (called in 6384 | // the slice polyfill when slicing native arrays) "doesn't work" in safari 9 and > 6385 | // causes a crash (https://pastebin.com/N21QzeQA) when trying to debug it. 6386 | for (var j = 1; j < result.length; j++) captures.push(maybeToString(result[j])); 6387 | var namedCaptures = result.groups;

CRITICAL shady-links-exfil-services: client/shim.js:6283 semgrep

URL pointing to known exfiltration/tunneling service Source: https://github.com/zloirock/core-js/blob/6a3fe85136aaae0e3b099c96a05a5ceb1f515a50/client/shim.js#L6283 6281 | // but for some reason `nativeSlice.call(result, 1, result.length)` (called in 6282 | // the slice polyfill when slicing native arrays) "doesn't work" in safari 9 and > 6283 | // causes a crash (https://pastebin.com/N21QzeQA) when trying to debug it. 6284 | for (var j = 1; j < result.length; j++) captures.push(maybeToString(result[j])); 6285 | var namedCaptures = result.groups;

CRITICAL shady-links-exfil-services: modules/es6.regexp.replace.js:66 semgrep

URL pointing to known exfiltration/tunneling service Source: https://github.com/zloirock/core-js/blob/6a3fe85136aaae0e3b099c96a05a5ceb1f515a50/modules/es6.regexp.replace.js#L66 64 | // but for some reason `nativeSlice.call(result, 1, result.length)` (called in 65 | // the slice polyfill when slicing native arrays) "doesn't work" in safari 9 and > 66 | // causes a crash (https://pastebin.com/N21QzeQA) when trying to debug it. 67 | for (var j = 1; j < result.length; j++) captures.push(maybeToString(result[j])); 68 | var namedCaptures = result.groups;

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall || echo "ignore"

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 148). Findings: 3 critical (+120), 1 high (+25), 1 low (+3).

Commit: 6a3fe85136aa Browse source

Published to npm: