[email protected] rejected Risk: 41 MIT 2014-02-22

parsejson @0.0.1

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

1.1 KB

Package Size

2014-02-22

Published

Method that parses a JSON string and returns a JSON object

Maintainers

gal

Dependencies (1)

Package	Constraint	Registry Status
better-assert	~1.0.0	auto_approved

Dev Dependencies (1)

Package	Constraint	Registry Status
mocha	1.17.1	auto_approved

Transitive Dependency Tree

2 transitive deps max depth 2

├─ better-assert ~1.0.0 → 1.0.2

├─ callsite 1.0.0 → 1.0.0

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-q75g-2496-mxpp`	osv	reject	AI	AI (osv): ReDoS vulnerability affects all versions (<= 0.0.3) with no fix published. Rejection generalizes to every version of this package.

SAST Findings (2)

HIGH GHSA-q75g-2496-mxpp: Regular Expression Denial of Service in parsejson osv

Affected versions of `parsejson` are vulnerable to a regular expression denial of service when parsing untrusted user input. ## Recommendation The `parsejson` package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in Node.js, and therefore the native `JSON.parse()` should be used, for both performance and security reasons.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 41. Findings: 1 high (+25), 1 medium (+10), 2 low (+6).

Published to npm: 2014-02-22