npmconf @1.1.9
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
43
Risk Score
ISC
License
No
Install Scripts
9
Dependencies
1
Dev Dependencies
12.4 KB
Package Size
Published
The config module for npm circa npm@1 and npm@2
Maintainers
isaacsothiym23
Keywords
npmconfigconfig-chainconfini
Dependencies (9)
| Package | Constraint | Registry Status |
|---|---|---|
| ini | ^1.2.0 | auto_approved |
| nopt | ~3.0.1 | auto_approved |
| once | ~1.3.0 | auto_approved |
| osenv | ^0.1.0 | auto_approved |
| mkdirp | ^0.5.0 | auto_approved |
| semver | 2 | No greenflagged match |
| inherits | ~2.0.0 | auto_approved |
| uid-number | 0.0.5 | auto_approved |
| config-chain | ~1.1.8 | auto_approved |
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| tap | ~0.4.0 | auto_approved |
Transitive Dependency Tree
15 transitive deps
max depth 2
├─
config-chain
~1.1.8
→ 1.1.13
├─
inherits
~2.0.0
→ 2.0.4
├─
ini
^1.2.0
→ 1.3.8
├─
mkdirp
^0.5.0
→ 0.5.6
├─
nopt
~3.0.1
→ 3.0.6
├─
once
~1.3.0
→ 1.3.3
├─
osenv
^0.1.0
→ 0.1.5
├─
semver
2
├─
uid-number
0.0.5
→ 0.0.5
├─
abbrev
1
├─
ini
^1.3.4
→ 1.3.8
├─
minimist
^1.2.6
→ 1.2.8
├─
os-homedir
^1.0.0
→ 1.0.2
├─
os-tmpdir
^1.0.0
→ 1.0.2
├─
proto-list
~1.2.1
→ 1.2.4
├─
wrappy
1
→ 1.0.2
Changes from v0.2.0
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | uid-number | 0.0.5 |
| changed | ini | ~1.1.0 → ^1.2.0 |
| changed | nopt | 2 → ~3.0.1 |
| changed | osenv | 0.0.3 → ^0.1.0 |
| changed | mkdirp | ~0.3.3 → ^0.5.0 |
License Changed
BSD → ISCFile Changes
10 added
0 removed
8 modified
size delta: +11.7 KB
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-57cf-349j-352g |
osv | reject | AI | AI (osv): Uninitialized memory disclosure affects all versions < 2.1.3; fix available in 2.1.3. Generalizes to all versions in the affected range. |
SAST Findings (2)
CRITICAL
GHSA-57cf-349j-352g: Out-of-bounds Read in npmconf
osv
[Always reject] Versions of `npmconf` before 2.1.3 allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js 4.x. ## Recommendation Update to version 2.1.3 or later. Consider switching to another config storage mechanism, as npmconf is deprecated and should not be used.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Commit: f679fbdefc10 Browse source
Published to npm: