All hoek versions

[email protected] rejected Risk: 53 BSD-3-Clause

hoek @6.0.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
53
Risk Score
BSD-3-Clause
License
No
Install Scripts
0
Dependencies
2
Dev Dependencies
7.9 KB
Package Size
Published

General purpose node utilities

Maintainers

hueniversekanongilmarsupnlfwyatt

Keywords

utilities

Dev Dependencies (2)

PackageConstraintRegistry Status
lab 17.x.x auto_approved
code 5.x.x auto_approved

Changes from v4.2.1

No metadata changes detected.

File Changes

1 added 0 removed 6 modified size delta: -3.2 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-c429-5p7v-vgjp osv reject AI AI (osv): Prototype pollution vulnerability affects all hoek versions <= 6.1.3; the entire 6.x line is within the affected range and no fix exists for this branch. Verdict generalizes to all 6.x versions.

SAST Findings (2)

CRITICAL GHSA-c429-5p7v-vgjp: hoek subject to prototype pollution via the clone function. osv

[Always reject] CVSS 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3).

Commit: aa52fdb4cc46 Browse source

Published to npm: