[email protected] rejected Risk: 93 MIT 2015-11-06

mout @0.11.1

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

166.6 KB

Package Size

2015-11-06

Published

Modular Utilities

Maintainers

millermedeirossatazorconradzmathias.paumgarten

Keywords

utilitiesfunctionalamd-utilsstdlib

Dev Dependencies (11)

Package	Constraint	Registry Status
mdoc	~0.3.2	Not imported
jshint	2.x	auto_approved
nodefy	*	auto_approved
rimraf	2.2.2	auto_approved
istanbul	~0.1.27	auto_approved
commander	~1.0.5	auto_approved
requirejs	2.x	auto_approved
rocambole	~0.2.3	auto_approved
handlebars	~1.0.6	No greenflagged match
regenerate	~0.5.4	No greenflagged match
jasmine-node	~1.14.5	auto_approved

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-pc58-wgmc-hfjr`	osv	reject	AI	AI (osv): HIGH severity prototype pollution; fixed in 1.2.3. Affects all versions < 1.2.3, so this verdict generalizes to any version in that range.
`osv:GHSA-vvv8-xw5f-3f88`	osv	reject	AI	AI (osv): HIGH severity prototype pollution (incomplete fix of CVE-2020-7792); fixed in 1.2.4. Affects all versions < 1.2.4, verdict generalizes to any version in that range.

SAST Findings (3)

CRITICAL GHSA-pc58-wgmc-hfjr: Prototype Pollution in mout osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

CRITICAL GHSA-vvv8-xw5f-3f88: Prototype Pollution in mout osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 93. Findings: 2 critical (+80), 1 medium (+10), 1 low (+3).

Commit: 588be08f87ee Browse source

Published to npm: 2015-11-06