All grunt versions

[email protected] rejected Risk: 100 MIT

grunt @0.2.15

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
No
Install Scripts
15
Dependencies
0
Dev Dependencies
146.9 KB
Package Size
Published

The JavaScript Task Runner

Maintainers

cowboy

Keywords

climinifyuglifybuildunderscoreunittestmakejaketool

Dependencies (15)

PackageConstraintRegistry Status
nopt ~1.0.10 auto_approved
async ~0.1.15 auto_approved
colors ~0.6.0 auto_approved
hooker ~0.2.3 auto_approved
jshint ~0.5 auto_approved
prompt ~0.1.12 auto_approved
semver ~1.0.13 No greenflagged match
connect ~1.8.5 auto_approved
gzip-js ~0.3.1 auto_approved
nodeunit ~0.6.4 auto_approved
temporary ~0.0.2 auto_approved
uglify-js ~1.0.7 auto_approved
dateformat 1.0.2-1.2.3 auto_approved
underscore ~1.2.4 No greenflagged match
glob-whatev ~0.1.0 auto_approved

Transitive Dependency Tree

56 transitive deps max depth 9
  ├─ async ~0.1.15 → 0.1.22
  ├─ colors ~0.6.0 → 0.6.2
  ├─ connect ~1.8.5 → 1.8.7
  ├─ dateformat 1.0.2-1.2.3 → 1.0.2-1.2.3
  ├─ glob-whatev ~0.1.0 → 0.1.8
  ├─ gzip-js ~0.3.1 → 0.3.2
  ├─ hooker ~0.2.3 → 0.2.3
  ├─ jshint ~0.5 → 0.5.9
  ├─ nodeunit ~0.6.4 → 0.6.4
  ├─ nopt ~1.0.10 → 1.0.10
  ├─ prompt ~0.1.12 → 0.1.12
  ├─ semver ~1.0.13
  ├─ temporary ~0.0.2 → 0.0.8
  ├─ uglify-js ~1.0.7 → 1.0.7
├─ underscore ~1.2.4
  ├─ abbrev 1
  ├─ argsparser >=0.0.3 → 0.0.7
  ├─ async 0.1.x → 0.1.22
  ├─ colors 0.x.x → 0.6.2
  ├─ crc32 >= 0.2.2 → 0.2.2
  ├─ deflate-js >= 0.2.2 → 0.2.2
  ├─ formidable 1.0.x → 1.0.17
  ├─ mime >= 0.0.1 → 4.1.0
  ├─ minimatch ~0.2.5
  ├─ minimatch >=0.0.4 → 10.2.5
  ├─ package >= 1.0.0 < 1.2.0 → 1.0.1
  ├─ pkginfo 0.x.x → 0.4.1
  ├─ qs >= 0.4.0 → 6.15.2
  ├─ tap-assert >=0.0.9 → 0.0.11
  ├─ tap-producer >=0.0.1 → 0.0.1
├─ winston 0.5.x → 0.5.11
  ├─ async 0.1.x → 0.1.22
  ├─ brace-expansion ^5.0.5 → 5.0.6
  ├─ colors 0.x.x → 0.6.2
  ├─ eyes 0.1.x → 0.1.8
  ├─ inherits * → 2.0.4
  ├─ loggly 0.3.x >=0.3.7
  ├─ pkginfo 0.2.x → 0.2.3
  ├─ side-channel ^1.1.0 → 1.1.0
  ├─ stack-trace 0.0.x → 0.0.10
  ├─ tap-results 0.x → 0.0.2
├─ yamlish * → 0.0.7
  ├─ balanced-match ^4.0.2 → 4.0.4
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ inherits ~1.0.0 → 1.0.2
  ├─ object-inspect ^1.13.3 → 1.13.4
  ├─ side-channel-list ^1.0.0 → 1.0.1
  ├─ side-channel-map ^1.0.1 → 1.0.1
├─ side-channel-weakmap ^1.0.2 → 1.0.2
  ├─ call-bound ^1.0.2 → 1.0.4
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ get-intrinsic ^1.2.5 → 1.3.1
  ├─ object-inspect ^1.13.3 → 1.13.4
  ├─ object-inspect ^1.13.4 → 1.13.4
├─ side-channel-map ^1.0.1 → 1.0.1
  ├─ async-function ^1.0.0
  ├─ async-generator-function ^1.0.0 → 1.0.0
  ├─ call-bind-apply-helpers ^1.0.2 → 1.0.2
  ├─ call-bound ^1.0.2 → 1.0.4
  ├─ es-define-property ^1.0.1 → 1.0.1
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ es-object-atoms ^1.1.1 → 1.1.2
  ├─ function-bind ^1.1.2 → 1.1.2
  ├─ generator-function ^2.0.0 → 2.0.1
  ├─ get-intrinsic ^1.2.5 → 1.3.1
  ├─ get-intrinsic ^1.3.0 → 1.3.1
  ├─ get-proto ^1.0.1
  ├─ gopd ^1.2.0 → 1.2.0
  ├─ has-symbols ^1.1.0 → 1.1.0
  ├─ hasown ^2.0.2 → 2.0.4
  ├─ math-intrinsics ^1.1.0 → 1.1.0
├─ object-inspect ^1.13.3 → 1.13.4
  ├─ async-function ^1.0.0
  ├─ async-generator-function ^1.0.0 → 1.0.0
  ├─ call-bind-apply-helpers ^1.0.2 → 1.0.2
  ├─ es-define-property ^1.0.1 → 1.0.1
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ es-object-atoms ^1.1.1 → 1.1.2
  ├─ function-bind ^1.1.2 → 1.1.2
  ├─ generator-function ^2.0.0 → 2.0.1
  ├─ get-intrinsic ^1.3.0 → 1.3.1
  ├─ get-proto ^1.0.1
  ├─ gopd ^1.2.0 → 1.2.0
  ├─ has-symbols ^1.1.0 → 1.1.0
  ├─ hasown ^2.0.2 → 2.0.4
├─ math-intrinsics ^1.1.0 → 1.1.0
  ├─ async-function ^1.0.0
  ├─ async-generator-function ^1.0.0 → 1.0.0
  ├─ call-bind-apply-helpers ^1.0.2 → 1.0.2
  ├─ es-define-property ^1.0.1 → 1.0.1
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ es-object-atoms ^1.1.1 → 1.1.2
  ├─ function-bind ^1.1.2 → 1.1.2
  ├─ generator-function ^2.0.0 → 2.0.1
  ├─ get-proto ^1.0.1
  ├─ gopd ^1.2.0 → 1.2.0
  ├─ has-symbols ^1.1.0 → 1.1.0
  ├─ hasown ^2.0.2 → 2.0.4
├─ math-intrinsics ^1.1.0 → 1.1.0
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ function-bind ^1.1.2 → 1.1.2

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-rm36-94g8-835r osv reject AI AI (osv): HIGH severity TOCTOU race condition fixed in 1.5.3; affects all versions < 1.5.3 including this one.
osv:GHSA-j383-35pm-c5h4 osv reject AI AI (osv): MODERATE path traversal fixed in 1.5.2; affects all versions < 1.5.2 including this one.

SAST Findings (4)

CRITICAL GHSA-j383-35pm-c5h4: Path Traversal in Grunt osv

[Always reject] CVSS 5.5 (MEDIUM) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Grunt prior to version 1.5.2 is vulnerable to path traversal.

CRITICAL GHSA-rm36-94g8-835r: Race Condition in Grunt osv

[Always reject] CVSS 7.0 (HIGH) — CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

HIGH GHSA-m5pj-vjjf-4m3h: Arbitrary Code Execution in grunt osv

CVSS 7.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 100 (capped from 138). Findings: 2 critical (+80), 1 high (+25), 3 medium (+30), 1 low (+3), 3 info (+0).

Published to npm: