grunt @1.4.1
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
83
Risk Score
MIT
License
No
Install Scripts
15
Dependencies
7
Dev Dependencies
23.8 KB
Package Size
Published
The JavaScript Task Runner
Maintainers
cowboytkellenvladikoffshama
Keywords
taskasynccliminifyuglifybuildlodashunittestqunitnodeunitserverinitscaffoldmakejaketool
Dependencies (15)
| Package | Constraint | Registry Status |
|---|---|---|
| exit | ~0.1.2 | auto_approved |
| glob | ~7.1.6 | auto_approved |
| nopt | ~3.0.6 | auto_approved |
| mkdirp | ~1.0.4 | auto_approved |
| rimraf | ~3.0.2 | auto_approved |
| js-yaml | ~3.14.0 | auto_approved |
| grunt-cli | ~1.4.2 | auto_approved |
| minimatch | ~3.0.4 | No greenflagged match |
| dateformat | ~3.0.3 | auto_approved |
| iconv-lite | ~0.4.13 | auto_approved |
| findup-sync | ~0.3.0 | No greenflagged match |
| eventemitter2 | ~0.4.13 | auto_approved |
| grunt-legacy-log | ~3.0.0 | auto_approved |
| grunt-legacy-util | ~2.0.1 | auto_approved |
| grunt-known-options | ~2.0.0 | auto_approved |
Dev Dependencies (7)
| Package | Constraint | Registry Status |
|---|---|---|
| difflet | ~1.0.1 | auto_approved |
| through2 | ~4.0.2 | auto_approved |
| temporary | ~0.0.4 | auto_approved |
| grunt-eslint | ~18.1.0 | auto_approved |
| eslint-config-grunt | ~1.0.1 | Not imported |
| grunt-contrib-watch | ~1.1.0 | auto_approved |
| grunt-contrib-nodeunit | ~3.0.0 | auto_approved |
Transitive Dependency Tree
83 transitive deps
max depth 8
├─
dateformat
~3.0.3
→ 3.0.3
├─
eventemitter2
~0.4.13
→ 0.4.13
├─
exit
~0.1.2
→ 0.1.2
├─
findup-sync
~0.3.0
├─
glob
~7.1.6
→ 7.1.7
├─
grunt-cli
~1.4.2
→ 1.4.3
├─
grunt-known-options
~2.0.0
→ 2.0.0
├─
grunt-legacy-log
~3.0.0
→ 3.0.1
├─
grunt-legacy-util
~2.0.1
→ 2.0.1
├─
iconv-lite
~0.4.13
→ 0.4.24
├─
js-yaml
~3.14.0
→ 3.14.2
├─
minimatch
~3.0.4
├─
mkdirp
~1.0.4
→ 1.0.4
├─
nopt
~3.0.6
→ 3.0.6
├─
rimraf
~3.0.2
→ 3.0.2
├─
abbrev
1
├─
argparse
^1.0.7
→ 1.0.10
├─
async
~3.2.0
→ 3.2.6
├─
colors
~1.1.2
→ 1.1.2
├─
esprima
^4.0.0
→ 4.0.1
├─
exit
~0.1.2
→ 0.1.2
├─
fs.realpath
^1.0.0
├─
getobject
~1.0.0
→ 1.0.2
├─
glob
^7.1.3
→ 7.1.7
├─
grunt-known-options
~2.0.0
→ 2.0.0
├─
grunt-legacy-log-utils
^2.1.3
→ 2.1.3
├─
hooker
~0.2.3
→ 0.2.3
├─
inflight
^1.0.4
├─
inherits
2
→ 2.0.4
├─
interpret
~1.1.0
├─
liftup
~3.0.1
→ 3.0.1
├─
lodash
^4.18.0
→ 4.18.1
├─
lodash
~4.17.21
├─
minimatch
^3.0.4
→ 3.1.5
├─
nopt
~4.0.1
→ 4.0.3
├─
once
^1.3.0
→ 1.4.0
├─
path-is-absolute
^1.0.0
→ 1.0.1
├─
safer-buffer
>= 2.1.2 < 3
→ 2.1.2
├─
underscore.string
~3.3.5
→ 3.3.6
├─
v8flags
~3.2.0
├─
which
~2.0.2
→ 2.0.2
├─
abbrev
1
├─
brace-expansion
^1.1.7
→ 1.1.15
├─
chalk
^4.1.0
→ 4.1.2
├─
extend
^3.0.2
→ 3.0.2
├─
findup-sync
^4.0.0
→ 4.0.0
├─
fined
^1.2.0
├─
flagged-respawn
^1.0.1
├─
fs.realpath
^1.0.0
├─
inflight
^1.0.4
├─
inherits
2
→ 2.0.4
├─
is-plain-object
^2.0.4
→ 2.0.4
├─
isexe
^2.0.0
→ 2.0.0
├─
minimatch
^3.0.4
→ 3.1.5
├─
object.map
^1.0.1
→ 1.0.1
├─
once
^1.3.0
→ 1.4.0
├─
osenv
^0.1.4
→ 0.1.5
├─
path-is-absolute
^1.0.0
→ 1.0.1
├─
rechoir
^0.7.0
├─
resolve
^1.19.0
→ 1.22.11
├─
sprintf-js
^1.1.1
→ 1.1.3
├─
sprintf-js
~1.0.2
→ 1.0.3
├─
util-deprecate
^1.0.2
→ 1.0.2
├─
wrappy
1
→ 1.0.2
├─
ansi-styles
^4.1.0
→ 4.3.0
├─
balanced-match
^1.0.0
→ 1.0.2
├─
brace-expansion
^1.1.7
→ 1.1.15
├─
concat-map
0.0.1
→ 0.0.1
├─
detect-file
^1.0.0
→ 1.0.0
├─
for-own
^1.0.0
→ 1.0.0
├─
is-core-module
^2.16.1
→ 2.16.2
├─
is-glob
^4.0.0
→ 4.0.3
├─
isobject
^3.0.1
→ 3.0.1
├─
make-iterator
^1.0.0
→ 1.0.1
├─
micromatch
^4.0.2
→ 4.0.8
├─
os-homedir
^1.0.0
→ 1.0.2
├─
os-tmpdir
^1.0.0
→ 1.0.2
├─
path-parse
^1.0.7
→ 1.0.7
├─
resolve-dir
^1.0.1
→ 1.0.1
├─
supports-color
^7.1.0
→ 7.2.0
├─
supports-preserve-symlinks-flag
^1.0.0
→ 1.0.0
├─
wrappy
1
→ 1.0.2
├─
balanced-match
^1.0.0
→ 1.0.2
├─
braces
^3.0.3
→ 3.0.3
├─
color-convert
^2.0.1
├─
concat-map
0.0.1
→ 0.0.1
├─
expand-tilde
^2.0.0
→ 2.0.2
├─
for-in
^1.0.1
→ 1.0.2
├─
global-modules
^1.0.0
→ 1.0.0
├─
has-flag
^4.0.0
→ 4.0.0
├─
hasown
^2.0.3
→ 2.0.4
├─
is-extglob
^2.1.1
→ 2.1.1
├─
kind-of
^6.0.2
→ 6.0.3
├─
picomatch
^2.3.1
→ 2.3.2
├─
fill-range
^7.1.1
→ 7.1.1
├─
function-bind
^1.1.2
→ 1.1.2
├─
global-prefix
^1.0.1
├─
homedir-polyfill
^1.0.1
→ 1.0.3
├─
is-windows
^1.0.1
→ 1.0.2
├─
parse-passwd
^1.0.0
→ 1.0.0
├─
to-regex-range
^5.0.1
→ 5.0.1
├─
is-number
^7.0.0
→ 7.0.0
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-rm36-94g8-835r |
osv | reject | AI | AI (osv): HIGH severity TOCTOU race condition fixed in 1.5.3; affects all versions < 1.5.3 including this one. | |
osv:GHSA-j383-35pm-c5h4 |
osv | reject | AI | AI (osv): MODERATE path traversal fixed in 1.5.2; affects all versions < 1.5.2 including this one. |
SAST Findings (3)
CRITICAL
GHSA-j383-35pm-c5h4: Path Traversal in Grunt
osv
[Always reject] CVSS 5.5 (MEDIUM) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Grunt prior to version 1.5.2 is vulnerable to path traversal.
CRITICAL
GHSA-rm36-94g8-835r: Race Condition in Grunt
osv
[Always reject] CVSS 7.0 (HIGH) — CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 83. Findings: 2 critical (+80), 1 low (+3), 4 info (+0).
Commit: ee722d15ed21 Browse source
Published to npm: