[email protected] rejected Risk: 43 No license 2011-03-07

markdown @0.2.1

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Tarball

Risk Score

—

License

Install Scripts

Dependencies

Dev Dependencies

103.8 KB

Package Size

2011-03-07

Published

A sensible Markdown parser for javascript

Maintainers

Dominic BaggottAsh Berlin

Keywords

markdowntext processingast

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-wx77-rp39-c6vg`	osv	reject	AI	AI (osv): ReDoS affects all versions of this package with no fix available; verdict generalizes to every published version.

SAST Findings (2)

CRITICAL GHSA-wx77-rp39-c6vg: Regular Expression Denial of Service in markdown osv

[Always reject] All versions of `markdown` are vulnerable to Regular Expression Denial of Service (ReDoS). The `markdown.toHTML()` function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 43. Findings: 1 critical (+40), 1 low (+3).

Published to npm: 2011-03-07