[email protected] rejected Risk: 66 MIT 2016-10-27

parsejson @0.0.3

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

1.9 KB

Package Size

2016-10-27

Published

Method that parses a JSON string and returns a JSON object

Maintainers

gal

Dependencies (1)

Package	Constraint	Registry Status
better-assert	~1.0.0	auto_approved

Dev Dependencies (2)

Package	Constraint	Registry Status
mocha	1.17.1	auto_approved
better-assert	~1.0.0	auto_approved

Transitive Dependency Tree

2 transitive deps max depth 2

├─ better-assert ~1.0.0 → 1.0.2

├─ callsite 1.0.0 → 1.0.0

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-q75g-2496-mxpp`	osv	reject	AI	AI (osv): ReDoS vulnerability affects all versions (<= 0.0.3) with no fix published. Rejection generalizes to every version of this package.

SAST Findings (2)

HIGH GHSA-q75g-2496-mxpp: Regular Expression Denial of Service in parsejson osv

Affected versions of `parsejson` are vulnerable to a regular expression denial of service when parsing untrusted user input. ## Recommendation The `parsejson` package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in Node.js, and therefore the native `JSON.parse()` should be used, for both performance and security reasons.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 66. Findings: 1 critical (+40), 2 medium (+20), 2 low (+6).

Commit: 7c26d14d9a07 Browse source

Published to npm: 2016-10-27