All object-path versions

[email protected] rejected Risk: 38 MIT

object-path @0.11.5

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
38
Risk Score
MIT
License
No
Install Scripts
0
Dependencies
6
Dev Dependencies
9.5 KB
Package Size
Published

Access deep object properties using a path

Maintainers

mariocasciaro

Keywords

deeppathaccessbeangetpropertydotpropobjectobjnotationsegmentvaluenestedkey

Dev Dependencies (6)

PackageConstraintRegistry Status
nyc ^15.1.0 auto_approved
chai ^4.2.0 auto_approved
mocha ^8.1.3 auto_approved
coveralls ^3.1.0 auto_approved
mocha-lcov-reporter ^1.3.0 auto_approved
@mariocasciaro/benchpress ^0.1.3 Not imported

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-8v63-cqqc-6r2c osv reject AI AI (osv): Prototype pollution in del(); affects all versions < 0.11.8. Fix available. Verdict generalizes across affected range.
osv:GHSA-v39p-96qg-c8rf osv reject AI AI (osv): Type confusion bypass of CVE-2020-15256; affects all versions < 0.11.6. Fix available. Verdict generalizes across affected range.

SAST Findings (3)

HIGH GHSA-8v63-cqqc-6r2c: Prototype Pollution in object-path osv

CVSS 7.5 (HIGH) — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects.

MEDIUM GHSA-v39p-96qg-c8rf: Prototype Pollution in object-path osv

CVSS 5.6 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition `currentPath === '__proto__'` returns false if `currentPath` is `['__proto__']`. This is because the `===` operator returns always false when the type of the operands is different.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 38. Findings: 1 high (+25), 1 medium (+10), 1 low (+3).

Commit: 63324602658f Browse source

Published to npm: