isomorphic-git @1.37.2
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
93
Risk Score
MIT
License
No
Install Scripts
11
Dependencies
48
Dev Dependencies
1137.3 KB
Package Size
Published
A pure JavaScript reimplementation of git for node and browsers
Maintainers
wmhiltonmojavelinuxjcubic
Keywords
gitisomorphic
Dependencies (11)
| Package | Constraint | Registry Status |
|---|---|---|
| pako | ^1.0.10 | auto_approved |
| pify | ^4.0.1 | auto_approved |
| diff3 | 0.0.3 | auto_approved |
| crc-32 | ^1.2.0 | auto_approved |
| ignore | ^5.1.4 | auto_approved |
| sha.js | ^2.4.12 | auto_approved |
| async-lock | ^1.4.1 | auto_approved |
| minimisted | ^2.0.0 | No greenflagged match |
| simple-get | ^4.0.1 | auto_approved |
| clean-git-ref | ^2.0.1 | auto_approved |
| readable-stream | ^4.0.0 | auto_approved |
Dev Dependencies (48)
| Package | Constraint | Registry Status |
|---|---|---|
| nps | ^5.10.0 | No greenflagged match |
| jest | ^30.2.0 | auto_approved |
| rxjs | ^5.5.12 | auto_approved |
| agadoo | 2.0.0 | Not imported |
| envify | 4.1.0 | auto_approved |
| eslint | ^8.57.1 | auto_approved |
| rollup | 1.29.1 | auto_approved |
| webpack | ^5.0.1 | auto_approved |
| inquirer | ^7.0.0 | auto_approved |
| prettier | ^3.6.2 | auto_approved |
| standard | ^17.1.2 | auto_approved |
| cross-env | 6.0.0 | No greenflagged match |
| jsdoc-api | 5.0.3 | auto_approved |
| nps-utils | 1.7.0 | Not imported |
| decompress | ^4.2.0 | auto_approved |
| diff-lines | 1.1.1 | Not imported |
| jest-junit | ^15.0.0 | No greenflagged match |
| typescript | ^5.8.0 | auto_approved |
| @types/jest | ^30.0.0 | auto_approved |
| @types/node | ^20.19.16 | auto_approved |
| @zenfs/core | ^2.0.0 | No greenflagged match |
| bundlewatch | ^0.4.1 | Not imported |
| timeout-cli | 0.3.2 | Not imported |
| webpack-cli | ^4.0.0 | No greenflagged match |
| pretty-format | 24.9.0 | auto_approved |
| github-comment | 1.0.1 | Not imported |
| jest-puppeteer | ^11.0.0 | Not imported |
| markdown-table | ^2.0.0 | No greenflagged match |
| replace-in-file | 4.1.3 | No greenflagged match |
| semantic-release | 17.4.7 | auto_approved |
| eslint-plugin-node | ^11.0.0 | auto_approved |
| all-contributors-cli | 6.20.0 | No greenflagged match |
| eslint-plugin-import | ^2.20.1 | auto_approved |
| git-http-mock-server | 2.0.0 | Not imported |
| eslint-plugin-promise | ^6.6.0 | auto_approved |
| @semantic-release/exec | 5.0.0 | No greenflagged match |
| eslint-config-prettier | ^7.2.0 | auto_approved |
| eslint-config-standard | ^17.1.0 | auto_approved |
| eslint-plugin-prettier | ^5.5.4 | auto_approved |
| eslint-plugin-standard | ^4.0.1 | auto_approved |
| webpack-bundle-analyzer | 3.4.1 | No greenflagged match |
| prettier-config-standard | ^1.0.1 | No greenflagged match |
| @isomorphic-git/cors-proxy | ^3.0.0 | Not imported |
| @isomorphic-git/pgp-plugin | 0.0.7 | No greenflagged match |
| rollup-plugin-node-resolve | 5.2.0 | auto_approved |
| @isomorphic-git/lightning-fs | ^3.3.0 | No greenflagged match |
| eslint-config-prettier-standard | ^4.0.1 | Not imported |
| duplicate-package-checker-webpack-plugin | 3.0.0 | auto_approved |
Transitive Dependency Tree
44 transitive deps
max depth 7
├─
async-lock
^1.4.1
→ 1.4.1
├─
clean-git-ref
^2.0.1
→ 2.0.1
├─
crc-32
^1.2.0
→ 1.2.2
├─
diff3
0.0.3
→ 0.0.3
├─
ignore
^5.1.4
→ 5.3.2
├─
minimisted
^2.0.0
├─
pako
^1.0.10
→ 1.0.11
├─
pify
^4.0.1
→ 4.0.1
├─
readable-stream
^4.0.0
→ 4.7.0
├─
sha.js
^2.4.12
→ 2.4.12
├─
simple-get
^4.0.1
→ 4.0.1
├─
abort-controller
^3.0.0
→ 3.0.0
├─
buffer
^6.0.3
→ 6.0.3
├─
decompress-response
^6.0.0
├─
events
^3.3.0
→ 3.3.0
├─
inherits
^2.0.4
→ 2.0.4
├─
once
^1.3.1
→ 1.4.0
├─
process
^0.11.10
→ 0.11.10
├─
safe-buffer
^5.2.1
→ 5.2.1
├─
simple-concat
^1.0.0
→ 1.0.1
├─
string_decoder
^1.3.0
→ 1.3.0
├─
to-buffer
^1.2.0
→ 1.2.2
├─
base64-js
^1.3.1
→ 1.5.1
├─
event-target-shim
^5.0.0
├─
ieee754
^1.2.1
→ 1.2.1
├─
isarray
^2.0.5
→ 2.0.5
├─
safe-buffer
^5.2.1
→ 5.2.1
├─
safe-buffer
~5.2.0
→ 5.2.1
├─
typed-array-buffer
^1.0.3
→ 1.0.3
├─
wrappy
1
→ 1.0.2
├─
call-bound
^1.0.3
→ 1.0.4
├─
es-errors
^1.3.0
→ 1.3.0
├─
is-typed-array
^1.1.14
├─
call-bind-apply-helpers
^1.0.2
→ 1.0.2
├─
get-intrinsic
^1.3.0
→ 1.3.1
├─
async-function
^1.0.0
├─
async-generator-function
^1.0.0
→ 1.0.0
├─
call-bind-apply-helpers
^1.0.2
→ 1.0.2
├─
es-define-property
^1.0.1
→ 1.0.1
├─
es-errors
^1.3.0
→ 1.3.0
├─
es-object-atoms
^1.1.1
→ 1.1.2
├─
function-bind
^1.1.2
→ 1.1.2
├─
generator-function
^2.0.0
→ 2.0.1
├─
get-proto
^1.0.1
├─
gopd
^1.2.0
→ 1.2.0
├─
has-symbols
^1.1.0
→ 1.1.0
├─
hasown
^2.0.2
→ 2.0.4
├─
math-intrinsics
^1.1.0
→ 1.1.0
├─
es-errors
^1.3.0
→ 1.3.0
├─
function-bind
^1.1.2
→ 1.1.2
Changes from v1.37.0
No metadata changes detected.
File Changes
0 added
0 removed
10 modified
size delta: +11.5 KB
Risk Dispositions (0 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
bogus-package |
bogus-package | reject | AI | AI (bogus-package): Inflated semver on first publish and off-topic README are consistent with impersonation of the real isomorphic-git package; generalizes to all versions from this publisher. |
SAST Findings (1)
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 93. Findings: 9 medium (+90), 1 low (+3).
Commit: 556ba32cf116 Browse source
Published to npm: