grunt @0.3.17
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
100
Risk Score
MIT
License
No
Install Scripts
16
Dependencies
0
Dev Dependencies
185.8 KB
Package Size
Published
The JavaScript Task Runner
Maintainers
cowboy
Keywords
asynccliminifyuglifybuildunderscoreunittestqunitnodeunitserverinitscaffoldmakejaketool
Dependencies (16)
| Package | Constraint | Registry Status |
|---|---|---|
| nopt | ~1.0.10 | auto_approved |
| async | ~0.1.18 | auto_approved |
| colors | ~0.6.0 | auto_approved |
| hooker | ~0.2.3 | auto_approved |
| jshint | ~0.9.1 | auto_approved |
| prompt | ~0.1.12 | auto_approved |
| semver | ~1.0.13 | No greenflagged match |
| connect | ~2.4.4 | No greenflagged match |
| gzip-js | ~0.3.1 | auto_approved |
| nodeunit | ~0.7.4 | auto_approved |
| temporary | ~0.0.4 | auto_approved |
| uglify-js | ~1.3.3 | auto_approved |
| dateformat | 1.0.2-1.2.3 | auto_approved |
| underscore | ~1.2.4 | No greenflagged match |
| glob-whatev | ~0.1.4 | auto_approved |
| underscore.string | ~2.1.1 | No greenflagged match |
Transitive Dependency Tree
106 transitive deps
max depth 10
├─
async
~0.1.18
→ 0.1.22
├─
colors
~0.6.0
→ 0.6.2
├─
connect
~2.4.4
├─
dateformat
1.0.2-1.2.3
→ 1.0.2-1.2.3
├─
glob-whatev
~0.1.4
→ 0.1.8
├─
gzip-js
~0.3.1
→ 0.3.2
├─
hooker
~0.2.3
→ 0.2.3
├─
jshint
~0.9.1
→ 0.9.1
├─
nodeunit
~0.7.4
→ 0.7.4
├─
nopt
~1.0.10
→ 1.0.10
├─
prompt
~0.1.12
→ 0.1.12
├─
semver
~1.0.13
├─
temporary
~0.0.4
→ 0.0.8
├─
uglify-js
~1.3.3
→ 1.3.5
├─
underscore
~1.2.4
├─
underscore.string
~2.1.1
├─
abbrev
1
├─
async
0.1.x
→ 0.1.22
├─
cli
0.4.3
→ 0.4.3
├─
colors
0.x.x
→ 0.6.2
├─
crc32
>= 0.2.2
→ 0.2.2
├─
deflate-js
>= 0.2.2
→ 0.2.2
├─
minimatch
0.0.x
├─
minimatch
~0.2.5
├─
package
>= 1.0.0 < 1.2.0
→ 1.0.1
├─
pkginfo
0.x.x
→ 0.4.1
├─
tap
>=0.2.3
→ 21.7.4
├─
winston
0.5.x
→ 0.5.11
├─
@tapjs/after
3.3.10
→ 3.3.10
├─
@tapjs/after-each
4.3.10
→ 4.3.10
├─
@tapjs/asserts
4.3.10
→ 4.3.10
├─
@tapjs/before
4.3.10
→ 4.3.10
├─
@tapjs/before-each
4.3.10
→ 4.3.10
├─
@tapjs/chdir
3.3.10
→ 3.3.10
├─
@tapjs/core
4.5.8
→ 4.5.8
├─
@tapjs/filter
4.3.10
→ 4.3.10
├─
@tapjs/fixture
4.3.10
→ 4.3.10
├─
@tapjs/intercept
4.3.10
→ 4.3.10
├─
@tapjs/mock
4.4.8
→ 4.4.8
├─
@tapjs/node-serialize
4.3.10
→ 4.3.10
├─
@tapjs/run
4.5.8
├─
@tapjs/snapshot
4.3.10
→ 4.3.10
├─
@tapjs/spawn
4.3.10
→ 4.3.10
├─
@tapjs/stdin
4.3.10
→ 4.3.10
├─
@tapjs/test
4.4.8
→ 4.4.8
├─
@tapjs/typescript
3.5.10
→ 3.5.10
├─
@tapjs/worker
4.3.10
→ 4.3.10
├─
async
0.1.x
→ 0.1.22
├─
colors
0.x.x
→ 0.6.2
├─
eyes
0.1.x
→ 0.1.8
├─
loggly
0.3.x >=0.3.7
├─
pkginfo
0.2.x
→ 0.2.3
├─
resolve-import
^2.4.0
→ 2.4.0
├─
stack-trace
0.0.x
→ 0.0.10
├─
@isaacs/ts-node-temp-fork-for-pr-2009
^10.9.7
→ 10.9.7
├─
@tapjs/after
3.3.10
├─
@tapjs/after
3.3.10
→ 3.3.10
├─
@tapjs/after-each
4.3.10
├─
@tapjs/asserts
4.3.10
├─
@tapjs/before
4.3.10
├─
@tapjs/before-each
4.3.10
├─
@tapjs/chdir
3.3.10
├─
@tapjs/error-serdes
4.3.2
→ 4.3.2
├─
@tapjs/filter
4.3.10
├─
@tapjs/fixture
4.3.10
├─
@tapjs/intercept
4.3.10
├─
@tapjs/mock
4.4.8
├─
@tapjs/node-serialize
4.3.10
├─
@tapjs/processinfo
^3.1.12
→ 3.1.12
├─
@tapjs/snapshot
4.3.10
├─
@tapjs/spawn
4.3.10
├─
@tapjs/stack
4.3.3
→ 4.3.3
├─
@tapjs/stdin
4.3.10
├─
@tapjs/test
4.4.8
├─
@tapjs/typescript
3.5.10
├─
@tapjs/worker
4.3.10
├─
async-hook-domain
^4.0.1
→ 4.0.1
├─
diff
^8.0.2
→ 8.0.4
├─
function-loop
^4.0.0
→ 4.0.0
├─
glob
^13.0.2
→ 13.0.6
├─
glob
^13.0.0
→ 13.0.6
├─
is-actual-promise
^1.0.1
→ 1.0.2
├─
jackspeak
^4.2.3
→ 4.2.3
├─
minipass
^7.0.4
→ 7.1.3
├─
mkdirp
^3.0.0
→ 3.0.1
├─
package-json-from-dist
^1.0.0
→ 1.0.1
├─
resolve-import
^2.4.0
→ 2.4.0
├─
rimraf
^6.0.0
→ 6.1.3
├─
signal-exit
4.1
→ 4.1.0
├─
sync-content
^2.0.4
→ 2.0.4
├─
tap-parser
18.3.4
→ 18.3.4
├─
tap-yaml
4.4.2
→ 4.4.2
├─
tcompare
9.3.2
→ 9.3.2
├─
trivial-deferred
^2.0.0
→ 2.0.0
├─
tshy
^3.3.2
→ 3.3.2
├─
typescript
5.9
→ 5.9.3
├─
walk-up-path
^4.0.0
→ 4.0.0
├─
@cspotcode/source-map-support
^0.8.0
→ 0.8.1
├─
@isaacs/cliui
^9.0.0
→ 9.0.0
├─
@tsconfig/node14
*
→ 14.1.8
├─
@tsconfig/node16
*
→ 16.1.8
├─
@tsconfig/node18
*
→ 18.2.6
├─
@tsconfig/node20
*
→ 20.1.9
├─
@typescript/native-preview
^7.0.0-dev.20260218.1
→ 7.0.0-dev.20260422.1
├─
acorn
^8.4.1
→ 8.16.0
├─
acorn-walk
^8.1.1
→ 8.3.5
├─
arg
^4.1.0
→ 4.1.3
├─
chalk
^5.6.2
→ 5.6.2
├─
chokidar
^4.0.3
→ 4.0.3
├─
diff
^8.0.2
→ 8.0.4
├─
diff
^4.0.1
→ 4.0.4
├─
events-to-array
^2.0.3
→ 2.0.3
├─
foreground-child
^4.0.0
→ 4.0.3
├─
glob
^13.0.1
→ 13.0.6
├─
glob
^13.0.0
→ 13.0.6
├─
glob
^13.0.3
→ 13.0.6
├─
is-actual-promise
^1.0.1
→ 1.0.2
├─
jsonc-simple-parser
^3.0.0
→ 3.0.0
├─
make-error
^1.1.1
→ 1.3.6
├─
minimatch
^10.0.3
→ 10.2.5
├─
minimatch
^10.2.2
→ 10.2.5
├─
minipass
^7.1.3
→ 7.1.3
├─
minipass
^7.0.4
→ 7.1.3
├─
mkdirp
^3.0.1
→ 3.0.1
├─
node-options-to-argv
^1.0.0
├─
package-json-from-dist
^1.0.1
├─
path-scurry
^2.0.0
→ 2.0.2
├─
path-scurry
^2.0.2
→ 2.0.2
├─
pirates
^4.0.5
→ 4.0.7
├─
polite-json
^5.0.0
→ 5.0.0
├─
process-on-spawn
^1.0.0
→ 1.1.0
├─
react-element-to-jsx-string
^15.0.0
→ 15.0.0
├─
resolve-import
^2.4.0
→ 2.4.0
├─
rimraf
^6.1.2
→ 6.1.3
├─
rimraf
^6.0.0
→ 6.1.3
├─
signal-exit
^4.0.2
→ 4.1.0
├─
sync-content
^2.0.3
→ 2.0.4
├─
tap-yaml
4.4.2
├─
typescript
^5.9.3
→ 5.9.3
├─
uuid
^14.0.0
→ 14.0.0
├─
v8-compile-cache-lib
^3.0.1
→ 3.0.1
├─
walk-up-path
^4.0.0
→ 4.0.0
├─
yaml
^2.8.3
→ 2.8.4
├─
yaml-types
^0.4.0
→ 0.4.0
├─
@base2/pretty-print-object
1.0.1
→ 1.0.1
├─
@jridgewell/trace-mapping
0.3.9
├─
acorn
^8.11.0
→ 8.16.0
├─
brace-expansion
^5.0.5
→ 5.0.6
├─
fromentries
^1.2.0
→ 1.3.2
├─
glob
^13.0.0
→ 13.0.6
├─
glob
^13.0.1
→ 13.0.6
├─
glob
^13.0.3
→ 13.0.6
├─
is-plain-object
5.0.0
→ 5.0.0
├─
lru-cache
^11.0.0
→ 11.5.1
├─
minimatch
^10.2.2
→ 10.2.5
├─
minipass
^7.1.2
→ 7.1.3
├─
minipass
^7.1.3
→ 7.1.3
├─
mkdirp
^3.0.1
→ 3.0.1
├─
package-json-from-dist
^1.0.1
├─
path-scurry
^2.0.0
→ 2.0.2
├─
path-scurry
^2.0.2
→ 2.0.2
├─
react-is
18.1.0
→ 18.1.0
├─
reghex
^3.0.2
→ 3.0.2
├─
rimraf
^6.0.0
→ 6.1.3
├─
signal-exit
^4.0.1
→ 4.1.0
├─
walk-up-path
^4.0.0
→ 4.0.0
├─
balanced-match
^4.0.2
→ 4.0.4
├─
brace-expansion
^5.0.5
→ 5.0.6
├─
glob
^13.0.3
→ 13.0.6
├─
lru-cache
^11.0.0
→ 11.5.1
├─
minimatch
^10.2.2
→ 10.2.5
├─
minipass
^7.1.3
→ 7.1.3
├─
minipass
^7.1.2
→ 7.1.3
├─
package-json-from-dist
^1.0.1
├─
path-scurry
^2.0.2
→ 2.0.2
├─
balanced-match
^4.0.2
→ 4.0.4
├─
brace-expansion
^5.0.5
→ 5.0.6
├─
lru-cache
^11.0.0
→ 11.5.1
├─
minimatch
^10.2.2
→ 10.2.5
├─
minipass
^7.1.3
→ 7.1.3
├─
minipass
^7.1.2
→ 7.1.3
├─
path-scurry
^2.0.2
→ 2.0.2
├─
balanced-match
^4.0.2
→ 4.0.4
├─
brace-expansion
^5.0.5
→ 5.0.6
├─
lru-cache
^11.0.0
→ 11.5.1
├─
minipass
^7.1.2
→ 7.1.3
├─
balanced-match
^4.0.2
→ 4.0.4
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-rm36-94g8-835r |
osv | reject | AI | AI (osv): HIGH severity TOCTOU race condition fixed in 1.5.3; affects all versions < 1.5.3 including this one. | |
osv:GHSA-j383-35pm-c5h4 |
osv | reject | AI | AI (osv): MODERATE path traversal fixed in 1.5.2; affects all versions < 1.5.2 including this one. |
SAST Findings (4)
CRITICAL
GHSA-j383-35pm-c5h4: Path Traversal in Grunt
osv
[Always reject] CVSS 5.5 (MEDIUM) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Grunt prior to version 1.5.2 is vulnerable to path traversal.
CRITICAL
GHSA-rm36-94g8-835r: Race Condition in Grunt
osv
[Always reject] CVSS 7.0 (HIGH) — CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
HIGH
GHSA-m5pj-vjjf-4m3h: Arbitrary Code Execution in grunt
osv
CVSS 7.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 100 (capped from 128). Findings: 2 critical (+80), 1 high (+25), 2 medium (+20), 1 low (+3), 3 info (+0).
Published to npm: