[email protected] rejected Risk: 100 ISC 2017-03-07

fstream @1.0.11

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

100

Risk Score

ISC

License

Install Scripts

Dependencies

Dev Dependencies

16.8 KB

Package Size

2017-03-07

Published

Advanced file system stream things

Maintainers

iarnaisaacsothiym23zkat

Dependencies (4)

Package	Constraint	Registry Status
mkdirp	>=0.5 0	auto_approved
rimraf	2	auto_approved
inherits	~2.0.0	auto_approved
graceful-fs	^4.1.2	auto_approved

Dev Dependencies (2)

Package	Constraint	Registry Status
tap	^1.2.0	auto_approved
standard	^4.0.0	auto_approved

Transitive Dependency Tree

15 transitive deps max depth 5

├─ graceful-fs ^4.1.2 → 4.2.11

├─ inherits ~2.0.0 → 2.0.4

├─ mkdirp >=0.5 0 → 0.5.6

├─ rimraf 2 → 2.7.1

├─ glob ^7.1.3 → 7.1.7

├─ minimist ^1.2.6 → 1.2.8

├─ fs.realpath ^1.0.0

├─ inflight ^1.0.4

├─ inherits 2 → 2.0.4

├─ minimatch ^3.0.4 → 3.1.5

├─ once ^1.3.0 → 1.4.0

├─ path-is-absolute ^1.0.0 → 1.0.1

├─ brace-expansion ^1.1.7 → 1.1.15

├─ wrappy 1 → 1.0.2

├─ balanced-match ^1.0.0 → 1.0.2

├─ concat-map 0.0.1 → 0.0.1

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-xf7w-r453-m56c`	osv	reject	AI	AI (osv): HIGH severity arbitrary file overwrite; affected range < 1.0.12 covers this version; fix available in 1.0.12.

SAST Findings (5)

HIGH Publisher changed: othiym23 → zkat (on 2017-03-07) provenance

This version was published by a different npm account than previous versions on 2017-03-07. This could indicate a legitimate maintainer transition or an account compromise.

HIGH Unclaimed maintainer email domain: aoaioxxysz.net email-domain

Maintainer email '[email protected]' uses domain 'aoaioxxysz.net' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

HIGH GHSA-xf7w-r453-m56c: Arbitrary File Overwrite in fstream osv

CVSS 7.5 (HIGH) — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Versions of `fstream` prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The `fstream.DirWriter()` function is vulnerable. ## Recommendation Upgrade to version 1.0.12 or later.

HIGH etc-passwd-access: examples/reader.js:57 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/npm/fstream/blob/1e4527ffe8688d4f5325283d7cf2cf2d61f14c6b/examples/reader.js#L57 55 | tap.test('reader error test', function (t) { 56 | // assumes non-root on a *nix system > 57 | var r = fstream.Reader({ path: '/etc/shadow' }) 58 | 59 | r.once('error', function (er) {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 103). Findings: 4 high (+100), 1 low (+3).

Commit: 1e4527ffe868 Browse source

Published to npm: 2017-03-07