dom-iterator @0.2.1
iterator for mini-html-parser
Maintainers
Keywords
Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| xor | component/xor#0.0.2 | No greenflagged match |
| props | component/props#1.0.3 | No greenflagged match |
Dev Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| mocha | ~1.17.1 | auto_approved |
| component-test | ~0.1.3 | Not imported |
| mini-html-parser | 0.0.3 | Not imported |
Transitive Dependency Tree
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-jrvm-mcxc-mf6m |
osv | reject | AI | AI (osv): CVE-2024-21541: arbitrary code execution via Function constructor; fixed in 1.0.1. Affects all versions < 1.0.1. |
SAST Findings (3)
[Always reject] CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.
Script: make npm
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 88. Findings: 1 critical (+40), 1 high (+25), 2 medium (+20), 1 low (+3).
Published to npm: