nconf @0.6.9
Hierarchical node.js configuration with files, environment variables, command-line arguments, and atomic object merging.
Maintainers
Keywords
Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| ini | 1.x.x | auto_approved |
| async | 0.2.9 | auto_approved |
| optimist | 0.6.0 | auto_approved |
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| vows | 0.7.x | auto_approved |
Transitive Dependency Tree
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-6xwr-q98w-rvg7 |
osv | reject | AI | AI (osv): Prototype Pollution vulnerability affects all nconf versions < 0.11.4; fix is available. This advisory generalizes to every version in the affected range, including 0.6.1. |
SAST Findings (2)
[Always reject] CVSS 7.3 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3), 2 info (+0).
Published to npm: