grunt @0.4.2
The JavaScript Task Runner
Maintainers
Keywords
Dependencies (18)
| Package | Constraint | Registry Status |
|---|---|---|
| exit | ~0.1.1 | auto_approved |
| glob | ~3.1.21 | auto_approved |
| nopt | ~1.0.10 | auto_approved |
| async | ~0.1.22 | auto_approved |
| which | ~1.0.5 | auto_approved |
| colors | ~0.6.2 | auto_approved |
| hooker | ~0.2.3 | auto_approved |
| lodash | ~0.9.2 | No greenflagged match |
| rimraf | ~2.0.3 | auto_approved |
| js-yaml | ~2.0.5 | No greenflagged match |
| getobject | ~0.1.0 | rejected |
| minimatch | ~0.2.12 | No greenflagged match |
| dateformat | 1.0.2-1.2.3 | auto_approved |
| iconv-lite | ~0.2.11 | auto_approved |
| findup-sync | ~0.1.2 | No greenflagged match |
| coffee-script | ~1.3.3 | auto_approved |
| eventemitter2 | ~0.4.13 | auto_approved |
| underscore.string | ~2.2.1 | No greenflagged match |
Dev Dependencies (7)
| Package | Constraint | Registry Status |
|---|---|---|
| semver | 2.1.0 | No greenflagged match |
| difflet | ~0.2.3 | auto_approved |
| shelljs | ~0.2.5 | No greenflagged match |
| temporary | ~0.0.4 | auto_approved |
| grunt-contrib-watch | ~0.5.3 | auto_approved |
| grunt-contrib-jshint | ~0.6.4 | auto_approved |
| grunt-contrib-nodeunit | ~0.2.0 | auto_approved |
Transitive Dependency Tree
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-rm36-94g8-835r |
osv | reject | AI | AI (osv): HIGH severity TOCTOU race condition fixed in 1.5.3; affects all versions < 1.5.3 including this one. | |
osv:GHSA-j383-35pm-c5h4 |
osv | reject | AI | AI (osv): MODERATE path traversal fixed in 1.5.2; affects all versions < 1.5.2 including this one. |
SAST Findings (4)
[Always reject] CVSS 5.5 (MEDIUM) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Grunt prior to version 1.5.2 is vulnerable to path traversal.
[Always reject] CVSS 7.0 (HIGH) — CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
CVSS 7.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 100 (capped from 118). Findings: 2 critical (+80), 1 high (+25), 1 medium (+10), 1 low (+3), 2 info (+0).
Published to npm: