[email protected] rejected Risk: 43 MIT 2015-08-07

expand-object @0.3.8

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

4.9 KB

Package Size

2015-08-07

Published

Expand a string into a JavaScript object using a simple notation. Use the CLI or as a node.js lib.

Maintainers

jonschlinkertdoowb

Keywords

gethashasownkeykeysnestednotationobjectproppropertiespropertypropssetvaluevalues

Dependencies (5)

Package	Constraint	Registry Status
minimist	^1.1.2	auto_approved
get-stdin	^4.0.1	auto_approved
is-number	^2.0.2	auto_approved
set-value	^0.2.0	No greenflagged match
data-store	^0.8.0	auto_approved

Dev Dependencies (1)

Package	Constraint	Registry Status
mocha	*	auto_approved

Transitive Dependency Tree

41 transitive deps max depth 8

├─ data-store ^0.8.0 → 0.8.2

├─ get-stdin ^4.0.1 → 4.0.1

├─ is-number ^2.0.2 → 2.1.0

├─ minimist ^1.1.2 → 1.2.8

├─ set-value ^0.2.0

├─ collection-visit ^0.1.1 → 0.1.1

├─ component-emitter ^1.2.0 → 1.3.1

├─ extend-shallow ^2.0.1

├─ get-value ^1.1.5 → 1.3.1

├─ graceful-fs ^4.1.2 → 4.2.11

├─ has-own-deep ^0.1.4 → 0.1.4

├─ has-value ^0.2.0 → 0.2.1

├─ kind-of ^2.0.0 → 2.0.1

├─ kind-of ^3.0.2 → 3.2.2

├─ lazy-cache ^0.2.2 → 0.2.7

├─ mkdirp ^0.5.1 → 0.5.6

├─ object.omit ^2.0.0 → 2.0.1

├─ rimraf ^2.4.2 → 2.7.1

├─ set-value ^0.2.0

├─ union-value ^0.1.1 → 0.1.1

├─ arr-flatten ^1.0.1 → 1.1.0

├─ arr-union ^3.0.0 → 3.1.0

├─ for-own ^0.1.4

├─ get-value ^2.0.0 → 2.0.6

├─ get-value ^1.1.5 → 1.3.1

├─ glob ^7.1.3 → 7.1.7

├─ has-values ^0.1.3 → 0.1.4

├─ is-buffer ^1.0.2 → 1.1.6

├─ is-buffer ^1.1.5 → 1.1.6

├─ is-extendable ^0.1.1

├─ lazy-cache ^0.2.4 → 0.2.7

├─ map-visit ^0.1.0 → 0.1.5

├─ minimist ^1.2.6 → 1.2.8

├─ noncharacters ^1.1.0 → 1.1.0

├─ object-visit ^0.1.0 → 0.1.0

├─ set-value ^0.2.0

├─ arr-flatten ^1.0.1 → 1.1.0

├─ fs.realpath ^1.0.0

├─ inflight ^1.0.4

├─ inherits 2 → 2.0.4

├─ is-extendable ^0.1.1

├─ isobject ^1.0.0

├─ lazy-cache ^0.2.4 → 0.2.7

├─ lazy-cache ^2.0.1 → 2.0.2

├─ minimatch ^3.0.4 → 3.1.5

├─ noncharacters ^1.1.0 → 1.1.0

├─ object-visit ^0.3.4 → 0.3.4

├─ once ^1.3.0 → 1.4.0

├─ path-is-absolute ^1.0.0 → 1.0.1

├─ brace-expansion ^1.1.7 → 1.1.15

├─ isobject ^2.0.0

├─ set-getter ^0.1.0 → 0.1.1

├─ wrappy 1 → 1.0.2

├─ balanced-match ^1.0.0 → 1.0.2

├─ concat-map 0.0.1 → 0.0.1

├─ to-object-path ^0.3.0 → 0.3.0

├─ kind-of ^3.0.2 → 3.2.2

├─ is-buffer ^1.1.5 → 1.1.6

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-4vjr-hfpp-2m7w`	osv	reject	AI	AI (osv): Prototype Pollution vulnerability covers all versions including 0.4.2 with no fix published; verdict generalizes to all versions in the affected range.

SAST Findings (2)

CRITICAL GHSA-4vjr-hfpp-2m7w: expand-object Vulnerable to Prototype Pollution via the expand() Function osv

[Always reject] CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Versions of the package expand-object from 0.0.0 to 0.4.2 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 43. Findings: 1 critical (+40), 1 low (+3).

Commit: 819653056a5e Browse source

Published to npm: 2015-08-07