[email protected] rejected Risk: 83 MIT 2019-07-10

expr-eval @1.2.3

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

19.8 KB

Package Size

2019-07-10

Published

Mathematical expression evaluator

Maintainers

silentmatt

Keywords

expressionmathevaluateevalfunctionparser

Dev Dependencies (11)

Package	Constraint	Registry Status
mocha	^5.0.0	auto_approved
eslint	^5.12.1	auto_approved
rollup	^0.63.0	auto_approved
istanbul	^0.4.5	No greenflagged match
eslint-plugin-node	^8.0.1	No greenflagged match
eslint-plugin-import	^2.15.0	auto_approved
rollup-plugin-uglify	^3.0.0	auto_approved
eslint-plugin-promise	^4.0.1	auto_approved
eslint-config-standard	^12.0.0	auto_approved
eslint-plugin-standard	^4.0.0	auto_approved
eslint-config-semistandard	^13.0.0	auto_approved

Changes from v0.12.0

No metadata changes detected.

File Changes

2 added 0 removed 3 modified size delta: +32.2 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-jc85-fpwf-qm7x`	osv	reject	AI	AI (osv): Advisory affects all versions <= 2.0.2; fix is in 3.0.1. This generalizes to every 2.x release of this package.
`osv:GHSA-8gw3-rxh4-v6jx`	osv	reject	AI	AI (osv): Prototype pollution advisory with affected range including <= 2.0.2; generalizes across affected versions.

SAST Findings (3)

CRITICAL GHSA-8gw3-rxh4-v6jx: expr-eval vulnerable to Prototype Pollution osv

[Always reject] CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.

CRITICAL GHSA-jc85-fpwf-qm7x: expr-eval does not restrict functions passed to the evaluate function osv

[Always reject] The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 83. Findings: 2 critical (+80), 1 low (+3).

Commit: 49a85eb189ff Browse source

Published to npm: 2019-07-10