npmconf @2.0.7
The config module for npm circa npm@1 and npm@2
Maintainers
Keywords
Dependencies (9)
| Package | Constraint | Registry Status |
|---|---|---|
| ini | ^1.2.0 | auto_approved |
| nopt | ~3.0.1 | auto_approved |
| once | ~1.3.0 | auto_approved |
| osenv | ^0.1.0 | auto_approved |
| mkdirp | ^0.5.0 | auto_approved |
| semver | 2 || 3 | No greenflagged match |
| inherits | ~2.0.0 | auto_approved |
| uid-number | 0.0.5 | auto_approved |
| config-chain | ~1.1.8 | auto_approved |
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| tap | ~0.4.0 | auto_approved |
Transitive Dependency Tree
Changes from v0.2.0
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | uid-number | 0.0.5 |
| changed | ini | ~1.1.0 → ^1.2.0 |
| changed | nopt | 2 → ~3.0.1 |
| changed | osenv | 0.0.3 → ^0.1.0 |
| changed | mkdirp | ~0.3.3 → ^0.5.0 |
| changed | semver | 2 → 2 || 3 |
File Changes
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-57cf-349j-352g |
osv | reject | AI | AI (osv): Uninitialized memory disclosure affects all versions < 2.1.3; fix available in 2.1.3. Generalizes to all versions in the affected range. |
SAST Findings (2)
[Always reject] Versions of `npmconf` before 2.1.3 allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js 4.x. ## Recommendation Update to version 2.1.3 or later. Consider switching to another config storage mechanism, as npmconf is deprecated and should not be used.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3), 1 info (+0).
Commit: cc04391ca4fe Browse source
Published to npm: