All decompress-zip versions

[email protected] rejected Risk: 53 MIT

decompress-zip @0.1.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
53
Risk Score
MIT
License
No
Install Scripts
7
Dependencies
12
Dev Dependencies
10.9 KB
Package Size
Published

Extract files from a ZIP archive

Maintainers

wibblymatpaulirishsheerunsindresorhussatazor

Keywords

zipunziptaruntarcompressdecompressarchiveextractzlib

Dependencies (7)

PackageConstraintRegistry Status
q ^1.1.2 auto_approved
nopt ^3.0.1 auto_approved
touch 0.0.3 auto_approved
binary ^0.3.0 auto_approved
mkpath ^0.1.0 auto_approved
graceful-fs ^3.0.0 auto_approved
readable-stream ^1.1.8 auto_approved

Dev Dependencies (12)

PackageConstraintRegistry Status
tmp 0.0.24 No greenflagged match
chai ^1.10.0 auto_approved
glob ^4.3.2 auto_approved
grunt ^0.4.1 rejected
mocha ^2.1.0 auto_approved
request ^2.51.0 No greenflagged match
istanbul ^0.3.5 auto_approved
grunt-cli ^0.1.13 auto_approved
grunt-exec ^0.4.2 No greenflagged match
grunt-simple-mocha ^0.4.0 auto_approved
grunt-contrib-watch ^0.6.1 auto_approved
grunt-contrib-jshint ^0.10.0 auto_approved

Transitive Dependency Tree

16 transitive deps max depth 3
  ├─ binary ^0.3.0 → 0.3.0
  ├─ graceful-fs ^3.0.0 → 3.0.12
  ├─ mkpath ^0.1.0 → 0.1.0
  ├─ nopt ^3.0.1 → 3.0.6
  ├─ q ^1.1.2 → 1.5.1
  ├─ readable-stream ^1.1.8 → 1.1.14
├─ touch 0.0.3 → 0.0.3
  ├─ abbrev 1
  ├─ buffers ~0.1.1 → 0.1.1
  ├─ chainsaw ~0.1.0 → 0.1.0
  ├─ core-util-is ~1.0.0 → 1.0.3
  ├─ inherits ~2.0.1 → 2.0.4
  ├─ isarray 0.0.1
  ├─ natives ^1.1.3 → 1.1.6
  ├─ nopt ~1.0.10 → 1.0.10
├─ string_decoder ~0.10.x → 0.10.31
  ├─ abbrev 1
  ├─ traverse >=0.3.0 <0.4 → 0.3.9

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-73v8-v6g4-vrpm osv reject AI AI (osv): Zip-Slip arbitrary file overwrite vulnerability affects all versions < 0.2.2; fix is available. Verdict generalizes to all versions in the affected range.

SAST Findings (2)

CRITICAL GHSA-73v8-v6g4-vrpm: Arbitrary File Overwrite in decompress-zip osv

[Always reject] Vulnerable versions of `decompress-zip` are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because `decompress-zip` does not verify that extracted files do not resolve to targets outside of the extraction root directory. ## Recommendation For `decompress-zip` 0.2.x upgrade to 0.2.2 or later. For `decompress-zip` 0.3.x upgrade to 0.3.2 or later.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3), 1 info (+0).

Commit: 2280a68c81f0 Browse source

Published to npm: