All ggit versions

[email protected] rejected Risk: 92 MIT

ggit @1.13.4

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
92
Risk Score
MIT
License
No
Install Scripts
16
Dependencies
22
Dev Dependencies
15.5 KB
Package Size
Published

Local promise-returning git command wrappers

Maintainers

bahmutov

Keywords

gitjavascriptjsnodejsrepowrapper

Dependencies (16)

PackageConstraintRegistry Status
q 2.0.3 auto_approved
glob 7.1.1 No greenflagged match
debug 2.3.3 No greenflagged match
quote 0.4.0 auto_approved
ramda 0.9.1 auto_approved
colors 1.1.2 auto_approved
lodash 3.10.1 No greenflagged match
moment 2.17.0 No greenflagged match
bluebird 3.4.6 auto_approved
lazy-ass 1.5.0 auto_approved
optimist 0.6.1 auto_approved
cli-table 0.3.1 auto_approved
commander 2.9.0 auto_approved
d3-helpers 0.3.0 auto_approved
chdir-promise 0.4.0 auto_approved
check-more-types 2.23.0 auto_approved

Dev Dependencies (22)

PackageConstraintRegistry Status
gt 0.10.0 No greenflagged match
grunt 0.4.5 No greenflagged match
mocha 2.3.4 auto_approved
rocha 1.6.1 Not imported
pre-git 1.4.0 Not imported
matchdep 1.0.1 No greenflagged match
grunt-cli 0.1.13 auto_approved
git-issues 1.2.0 Not imported
grunt-bump 0.6.0 auto_approved
time-grunt 1.2.2 No greenflagged match
describe-it 1.7.0 Not imported
grunt-readme 0.4.5 Not imported
grunt-deps-ok 0.9.0 Not imported
grunt-jsonlint 1.0.6 Not imported
jshint-stylish 2.1.0 auto_approved
jshint-summary 0.4.0 Not imported
qunit-promises 0.1.5 Not imported
grunt-filenames 0.4.0 Not imported
grunt-complexity 0.3.0 auto_approved
semantic-release 6.0.3 auto_approved
grunt-nice-package 0.9.6 Not imported
grunt-contrib-jshint 0.11.3 auto_approved

Transitive Dependency Tree

23 transitive deps max depth 2
  ├─ bluebird 3.4.6 → 3.4.6
  ├─ chdir-promise 0.4.0 → 0.4.0
  ├─ check-more-types 2.23.0 → 2.23.0
  ├─ cli-table 0.3.1 → 0.3.1
  ├─ colors 1.1.2 → 1.1.2
  ├─ commander 2.9.0 → 2.9.0
  ├─ d3-helpers 0.3.0 → 0.3.0
  ├─ debug 2.3.3
  ├─ glob 7.1.1
  ├─ lazy-ass 1.5.0 → 1.5.0
  ├─ lodash 3.10.1
  ├─ moment 2.17.0
  ├─ optimist 0.6.1 → 0.6.1
  ├─ q 2.0.3 → 2.0.3
  ├─ quote 0.4.0 → 0.4.0
├─ ramda 0.9.1 → 0.9.1
  ├─ asap ^2.0.0 → 2.0.6
  ├─ check-more-types 2.23.0 → 2.23.0
  ├─ colors 1.0.3 → 1.0.3
  ├─ debug ^2.3.3
  ├─ graceful-readlink >= 1.0.0 → 1.0.1
  ├─ lazy-ass 1.5.0 → 1.5.0
  ├─ minimist ~0.0.1
  ├─ pop-iterate ^1.0.1 → 1.0.1
  ├─ q 1.1.2 → 1.1.2
  ├─ spots 0.4.0 → 0.4.0
  ├─ weak-map ^1.0.5 → 1.0.8
  ├─ wordwrap ~0.0.2 → 0.0.2

Changes from v0.14.0

Dependency Changes

ChangePackageVersion
added debug 2.3.3
added bluebird 3.4.6
removed check-types 1.4.0
changed glob 4.3.5 → 7.1.1
changed colors 1.0.3 → 1.1.2
changed lodash 3.1.0 → 3.10.1
changed moment 2.9.0 → 2.17.0
changed lazy-ass 0.5.3 → 1.5.0
changed commander 2.6.0 → 2.9.0
changed chdir-promise 0.2.1 → 0.4.0
changed check-more-types 1.3.0 → 2.23.0

Script Changes

+ size+ build+ grunt+ mocha+ rocha+ commit+ issues+ mocha:src+ mocha:spec+ file-status+ semantic-release

File Changes

10 added 81 removed 21 modified size delta: -550.2 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-62cx-5xj4-wfm4 osv reject AI AI (osv): Command injection via fetchTags() affects all versions <= 2.4.12 with no fix; verdict generalizes to every version in this range.
osv:GHSA-pr45-cg4x-ff4m osv reject AI AI (osv): Argument injection via clone() affects all versions <= 2.4.12 with no fix; verdict generalizes to every version in this range.

SAST Findings (3)

CRITICAL GHSA-62cx-5xj4-wfm4: ggit is vulnerable to Command Injection via the fetchTags(branch) API osv

[Always reject] CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

CRITICAL GHSA-pr45-cg4x-ff4m: ggit is vulnerable to Arbitrary Argument Injection via the clone() API osv

[Always reject] CVSS 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 92. Findings: 2 critical (+80), 4 low (+12), 3 info (+0).

Commit: d98eee6a4c63 Browse source

Published to npm: