All expr-eval versions

[email protected] rejected Risk: 53 MIT

expr-eval @2.0.2

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
53
Risk Score
MIT
License
No
Install Scripts
0
Dependencies
11
Dev Dependencies
34.4 KB
Package Size
Published

Mathematical expression evaluator

Maintainers

silentmatt

Keywords

expressionmathevaluateevalfunctionparser

Dev Dependencies (11)

PackageConstraintRegistry Status
nyc ^14.1.1 auto_approved
mocha ^6.2.0 auto_approved
eslint ^6.3.0 auto_approved
rollup ^1.20.3 auto_approved
eslint-plugin-node ^9.2.0 No greenflagged match
eslint-plugin-import ^2.15.0 auto_approved
rollup-plugin-uglify ^6.0.3 auto_approved
eslint-plugin-promise ^4.0.1 auto_approved
eslint-config-standard ^13.0.1 auto_approved
eslint-plugin-standard ^4.0.0 auto_approved
eslint-config-semistandard ^15.0.0 auto_approved

Changes from v0.12.0

Dependency Changes

Script Changes

+ watch

File Changes

4 added 0 removed 3 modified size delta: +98.9 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-jc85-fpwf-qm7x osv reject AI AI (osv): Advisory affects all versions <= 2.0.2; fix is in 3.0.1. This generalizes to every 2.x release of this package.
osv:GHSA-8gw3-rxh4-v6jx osv reject AI AI (osv): Prototype pollution advisory with affected range including <= 2.0.2; generalizes across affected versions.

SAST Findings (3)

HIGH GHSA-8gw3-rxh4-v6jx: expr-eval vulnerable to Prototype Pollution osv

CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.

HIGH GHSA-jc85-fpwf-qm7x: expr-eval does not restrict functions passed to the evaluate function osv

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 53. Findings: 2 high (+50), 1 low (+3).

Commit: b4cf0607cc64 Browse source

Published to npm: