[email protected] rejected Risk: 53 BSD-3-Clause 2020-02-15

jpeg-js @0.3.7

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

BSD-3-Clause

License

Install Scripts

Dependencies

Dev Dependencies

18.2 KB

Package Size

2020-02-15

Published

A pure javascript JPEG encoder and decoder

Maintainers

benwiley4000eugenewaremrkellypatrickhulcepetlistrandedcityxadillax

Keywords

jpegjpgencoderdecodercodecimagejavascriptjs

Dev Dependencies (2)

Package	Constraint	Registry Status
tape	~2.3.2	auto_approved
redtape	~0.1.0	Not imported

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-xvf7-4v9q-58w6`	osv	reject	AI	AI (osv): DoS vulnerability (infinite loop) affects all versions < 0.4.4; fixed in 0.4.4. Verdict generalizes to all versions in the affected range.

SAST Findings (3)

CRITICAL GHSA-xvf7-4v9q-58w6: Infinite loop in jpeg-js osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The package jpeg-js before 0.4.4 is vulnerable to Denial of Service (DoS) where a particular piece of input will cause the program to enter an infinite loop and never return.

MEDIUM GHSA-w7q9-p3jq-fmhm: Uncontrolled resource consumption in jpeg-js osv

CVSS 5.5 (MEDIUM) — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3).

Commit: 6241ba46a3df Browse source

Published to npm: 2020-02-15