All ggit versions

[email protected] rejected Risk: 92 MIT

ggit @2.4.2

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
92
Risk Score
MIT
License
No
Install Scripts
21
Dependencies
31
Dev Dependencies
18.9 KB
Package Size
Published

Local promise-returning git command wrappers

Maintainers

bahmutov

Keywords

gitjavascriptjsnodejsrepowrapper

Dependencies (21)

PackageConstraintRegistry Status
q 2.0.3 auto_approved
glob 7.1.2 No greenflagged match
debug 3.1.0 auto_approved
quote 0.4.0 auto_approved
ramda 0.25.0 auto_approved
colors 1.1.2 auto_approved
lodash 4.17.4 No greenflagged match
moment 2.19.3 No greenflagged match
semver 5.4.1 No greenflagged match
find-up 2.1.0 auto_approved
bluebird 3.5.1 auto_approved
lazy-ass 1.6.0 auto_approved
optimist 0.6.1 auto_approved
cli-table 0.3.1 auto_approved
commander 2.12.2 auto_approved
pluralize 7.0.0 auto_approved
d3-helpers 0.3.0 auto_approved
always-error 1.0.0 auto_approved
chdir-promise 0.6.2 auto_approved
moment-timezone 0.5.14 No greenflagged match
check-more-types 2.24.0 auto_approved

Dev Dependencies (31)

PackageConstraintRegistry Status
gt 0.10.0 No greenflagged match
grunt 0.4.5 rejected
mocha 4.0.1 auto_approved
rocha 2.5.0 Not imported
sinon 4.1.2 auto_approved
pre-git 3.16.0 Not imported
matchdep 2.0.0 auto_approved
standard 10.0.3 auto_approved
grunt-cli 0.1.13 auto_approved
git-issues 1.3.1 Not imported
grunt-bump 0.8.0 auto_approved
time-grunt 1.4.0 No greenflagged match
common-tags 1.5.1 auto_approved
describe-it 1.7.0 Not imported
schema-shot 1.9.0 Not imported
grunt-readme 0.4.5 Not imported
snap-shot-it 4.0.1 Not imported
grunt-deps-ok 0.9.0 Not imported
grunt-jsonlint 1.1.0 Not imported
jshint-stylish 2.2.1 auto_approved
jshint-summary 0.4.0 Not imported
qunit-promises 0.2.0 Not imported
grunt-filenames 0.4.0 Not imported
if-node-version 1.1.1 Not imported
stub-spawn-once 2.3.0 Not imported
semantic-release 8.2.3 auto_approved
prettier-standard 7.0.3 Not imported
grunt-nice-package 0.10.4 Not imported
next-update-travis 1.7.1 Not imported
github-post-release 1.13.1 Not imported
simple-commit-message 3.3.2 Not imported

Transitive Dependency Tree

32 transitive deps max depth 5
  ├─ always-error 1.0.0 → 1.0.0
  ├─ bluebird 3.5.1 → 3.5.1
  ├─ chdir-promise 0.6.2 → 0.6.2
  ├─ check-more-types 2.24.0 → 2.24.0
  ├─ cli-table 0.3.1 → 0.3.1
  ├─ colors 1.1.2 → 1.1.2
  ├─ commander 2.12.2 → 2.12.2
  ├─ d3-helpers 0.3.0 → 0.3.0
  ├─ debug 3.1.0 → 3.1.0
  ├─ find-up 2.1.0 → 2.1.0
  ├─ glob 7.1.2
  ├─ lazy-ass 1.6.0 → 1.6.0
  ├─ lodash 4.17.4
  ├─ moment 2.19.3
  ├─ moment-timezone 0.5.14
  ├─ optimist 0.6.1 → 0.6.1
  ├─ pluralize 7.0.0 → 7.0.0
  ├─ q 2.0.3 → 2.0.3
  ├─ quote 0.4.0 → 0.4.0
  ├─ ramda 0.25.0 → 0.25.0
├─ semver 5.4.1
  ├─ asap ^2.0.0 → 2.0.6
  ├─ bluebird ^3.5.1 → 3.7.2
  ├─ check-more-types 2.24.0 → 2.24.0
  ├─ colors 1.0.3 → 1.0.3
  ├─ debug 3.1.0 → 3.1.0
  ├─ lazy-ass 1.6.0 → 1.6.0
  ├─ locate-path ^2.0.0 → 2.0.0
  ├─ minimist ~0.0.1
  ├─ ms 2.0.0 → 2.0.0
  ├─ pop-iterate ^1.0.1 → 1.0.1
  ├─ weak-map ^1.0.5 → 1.0.8
├─ wordwrap ~0.0.2 → 0.0.2
  ├─ ms 2.0.0 → 2.0.0
  ├─ p-locate ^2.0.0 → 2.0.0
├─ path-exists ^3.0.0 → 3.0.0
├─ p-limit ^1.1.0 → 1.3.0
  ├─ p-try ^1.0.0 → 1.0.0

Changes from v0.14.0

Dependency Changes

ChangePackageVersion
added debug 3.1.0
added semver 5.4.1
added find-up 2.1.0
added bluebird 3.5.1
added pluralize 7.0.0
added always-error 1.0.0
added moment-timezone 0.5.14
removed check-types 1.4.0
changed glob 4.3.5 → 7.1.2
changed ramda 0.9.1 → 0.25.0
changed colors 1.0.3 → 1.1.2
changed lodash 3.1.0 → 4.17.4
changed moment 2.9.0 → 2.19.3
changed lazy-ass 0.5.3 → 1.6.0
changed commander 2.6.0 → 2.12.2
changed chdir-promise 0.2.1 → 0.6.2
changed check-more-types 1.3.0 → 2.24.0

Script Changes

+ lint+ size+ build+ grunt+ mocha+ rocha+ commit+ issues+ pretty+ prelint+ pretest+ mocha:src+ mocha:spec+ file-status+ semantic-release

File Changes

13 added 83 removed 21 modified size delta: -537.7 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-62cx-5xj4-wfm4 osv reject AI AI (osv): Command injection via fetchTags() affects all versions <= 2.4.12 with no fix; verdict generalizes to every version in this range.
osv:GHSA-pr45-cg4x-ff4m osv reject AI AI (osv): Argument injection via clone() affects all versions <= 2.4.12 with no fix; verdict generalizes to every version in this range.

SAST Findings (3)

CRITICAL GHSA-62cx-5xj4-wfm4: ggit is vulnerable to Command Injection via the fetchTags(branch) API osv

[Always reject] CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

CRITICAL GHSA-pr45-cg4x-ff4m: ggit is vulnerable to Arbitrary Argument Injection via the clone() API osv

[Always reject] CVSS 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 92. Findings: 2 critical (+80), 4 low (+12), 3 info (+0).

Commit: 9e0c7b6edfb9 Browse source

Published to npm: