object-path @0.11.7
Access deep object properties using a path
Maintainers
Keywords
Dev Dependencies (6)
| Package | Constraint | Registry Status |
|---|---|---|
| nyc | ^15.1.0 | auto_approved |
| chai | ^4.3.4 | auto_approved |
| mocha | ^9.1.0 | auto_approved |
| coveralls | ^3.1.1 | No greenflagged match |
| mocha-lcov-reporter | ^1.3.0 | auto_approved |
| @mariocasciaro/benchpress | ^0.1.3 | Not imported |
Risk Dispositions (1 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-8v63-cqqc-6r2c |
osv | reject | AI | AI (osv): Prototype pollution in del(); affects all versions < 0.11.8. Fix available. Verdict generalizes across affected range. |
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-v39p-96qg-c8rf |
osv | reject | AI | AI (osv): Type confusion bypass of CVE-2020-15256; affects all versions < 0.11.6. Fix available. Verdict generalizes across affected range. |
SAST Findings (2)
[Always reject] CVSS 7.5 (HIGH) — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3).
Commit: 43a926f5bcba Browse source
Published to npm: