[email protected] rejected Risk: 68 MIT 2020-07-03

jsonpointer @4.1.0

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

2.7 KB

Package Size

2020-07-03

Published

Simple JSON Addressing.

Maintainers

janmarcbachmann

Dev Dependencies (2)

Package	Constraint	Registry Status
standard	^14.3.4	auto_approved
semantic-release	^17.1.1	auto_approved

Changes from v3.0.1

Dependency Changes

Script Changes

+ test:all+ test:standard+ semantic-release

File Changes

1 added 3 removed 3 modified size delta: -3.3 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-282f-qqgm-c34q`	osv	reject	AI	AI (osv): Advisory affects all versions < 5.0.0; fix available in 5.0.0. Verdict generalizes to all unfixed versions of this package.

SAST Findings (3)

CRITICAL GHSA-282f-qqgm-c34q: Prototype Pollution in node-jsonpointer osv

[Always reject] CVSS 5.6 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L This affects the package `jsonpointer` before `5.0.0`. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.

HIGH Publisher changed: marcbachmann → jan (on 2020-07-03) provenance

This version was published by a different npm account than previous versions on 2020-07-03. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 68. Findings: 1 critical (+40), 1 high (+25), 1 low (+3).

Commit: b67e4026a102 Browse source

Published to npm: 2020-07-03