[email protected] rejected Risk: 16 MIT 2014-05-14

on-headers @0.0.0

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

2.3 KB

Package Size

2014-05-14

Published

Execute a listener when a response is about to write headers

Maintainers

dougwilson

Keywords

eventheadershttponheaders

Dev Dependencies (2)

Package	Constraint	Registry Status
mocha	~1.18.2	auto_approved
supertest	~0.12.1	auto_approved

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-76c9-3jph-rj3q`	osv	reject	AI	AI (osv): Advisory affects all versions < 1.1.0 with a fix available in 1.1.0; this verdict generalizes to every version in the affected range.

SAST Findings (2)

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

LOW GHSA-76c9-3jph-rj3q: on-headers is vulnerable to http response header manipulation osv

CVSS 3.4 (LOW) — CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N ### Impact A bug in on-headers versions `< 1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()` ### Patches Users should upgrade to `1.1.0` ### Workarounds Uses are encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.

Review Summary

Risk score: 16. Findings: 1 medium (+10), 2 low (+6).

Published to npm: 2014-05-14