[email protected] rejected Risk: 71 MIT 2014-09-07

merge @1.2.0

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

2.8 KB

Package Size

2014-09-07

Published

(recursive)? merging of (cloned)? objects.

Maintainers

yeikos

Keywords

mergerecursiveextendcloneobjectbrowser

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-7wpw-2hjm-89gp`	osv	reject	AI	AI (osv): Prototype Pollution vulnerability affects all versions < 2.1.1; fixed in 2.1.1. Verdict generalizes to every version in the affected range.

SAST Findings (3)

CRITICAL GHSA-7wpw-2hjm-89gp: Prototype Pollution in merge osv

[Always reject] CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

HIGH GHSA-f9cm-qmx5-m98h: Prototype Pollution in merge osv

CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Versions of `merge` before 1.2.1 are vulnerable to prototype pollution. The `merge.recursive` function can be tricked into adding or modifying properties of the Object prototype. ## Recommendation Update to version 1.2.1 or later.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 71. Findings: 1 critical (+40), 1 high (+25), 2 low (+6).

Commit: 6fc27c23e1eb Browse source

Published to npm: 2014-09-07