merge @1.2.1
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
43
Risk Score
MIT
License
No
Install Scripts
0
Dependencies
0
Dev Dependencies
2.8 KB
Package Size
Published
(recursive)? merging of (cloned)? objects.
Maintainers
yeikos
Keywords
mergerecursiveextendcloneobjectbrowser
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-7wpw-2hjm-89gp |
osv | reject | AI | AI (osv): Prototype Pollution vulnerability affects all versions < 2.1.1; fixed in 2.1.1. Verdict generalizes to every version in the affected range. |
SAST Findings (2)
CRITICAL
GHSA-7wpw-2hjm-89gp: Prototype Pollution in merge
osv
[Always reject] CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Commit: b31e67fe6592 Browse source
Published to npm: