eco @1.0.3
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
53
Risk Score
—
License
No
Install Scripts
2
Dependencies
0
Dev Dependencies
12.5 KB
Package Size
Published
Embedded CoffeeScript templates
Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| strscan | >=1.0.1 | auto_approved |
| coffee-script | >=1.0.1 | auto_approved |
Transitive Dependency Tree
2 transitive deps
max depth 1
├─
coffee-script
>=1.0.1
→ 1.12.7
├─
strscan
>=1.0.1
→ 1.0.1
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-r32x-jhw5-g48p |
osv | reject | AI | AI (osv): XSS vulnerability affects all versions of eco (>= 0.0.0) with no fix available; verdict generalizes to every published version. |
SAST Findings (2)
CRITICAL
GHSA-r32x-jhw5-g48p: Cross-Site Scripting in eco
osv
[Always reject] All versions of `eco` are vulnerable to Cross-Site Scripting (XSS). The package's default `__escape` implementation fails to escape single quotes, which may allow attackers to execute arbitrary JavaScript on the victim's browser. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3).
Published to npm: