node-df @0.1.4
A cross-platform Node.js wrapper around the standard Unix computer program, df.
Maintainers
Keywords
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| underscore | ^1.6.0 | auto_approved |
Dev Dependencies (13)
| Package | Constraint | Registry Status |
|---|---|---|
| jest | ^22.1.4 | auto_approved |
| async | ^2.6.0 | auto_approved |
| husky | ^0.14.3 | auto_approved |
| eslint | ^4.17.0 | auto_approved |
| prettier | ^1.10.2 | auto_approved |
| lint-staged | ^6.1.0 | auto_approved |
| eslint-plugin-node | ^5.2.1 | No greenflagged match |
| eslint-plugin-import | ^2.8.0 | auto_approved |
| eslint-plugin-promise | ^3.6.0 | auto_approved |
| eslint-config-prettier | ^2.9.0 | auto_approved |
| eslint-config-standard | ^11.0.0-beta.0 | auto_approved |
| eslint-plugin-prettier | ^2.6.0 | auto_approved |
| eslint-plugin-standard | ^3.0.1 | auto_approved |
Transitive Dependency Tree
SAST Findings (3)
CVSS 9.8 (CRITICAL) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H All versions of `node-df` are vulnerable to Command Injection. The package fails to sanitize filenames passed to the `file` option. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 100 (capped from 101). Findings: 1 critical (+40), 1 high (+25), 3 medium (+30), 2 low (+6).
Commit: c0b554a9ed73 Browse source
Published to npm: