[email protected] rejected Risk: 68 BSD-3-Clause 2018-11-01

pez @4.0.4

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

BSD-3-Clause

License

Install Scripts

Dependencies

Dev Dependencies

4.1 KB

Package Size

2018-11-01

Published

Multipart parser

Maintainers

cjihrighueniversemarsupnlfwyatt

Keywords

HTTPmultipartparser

Dependencies (5)

Package	Constraint	Registry Status
b64	4.x.x	auto_approved
boom	7.x.x	auto_approved
hoek	6.x.x	No greenflagged match
nigel	3.x.x	auto_approved
content	4.x.x	No greenflagged match

Dev Dependencies (5)

Package	Constraint	Registry Status
lab	17.x.x	auto_approved
code	5.x.x	auto_approved
wreck	14.x.x	auto_approved
teamwork	3.x.x	auto_approved
form-data	2.x.x	auto_approved

Transitive Dependency Tree

6 transitive deps max depth 3

├─ b64 4.x.x → 4.1.2

├─ boom 7.x.x → 7.3.0

├─ content 4.x.x

├─ hoek 6.x.x

├─ nigel 3.x.x → 3.0.4

├─ hoek 6.x.x → 6.1.2

├─ vise 3.x.x → 3.0.2

├─ hoek 6.x.x → 6.1.2

Changes from v2.1.5

Dependency Changes

Change	Package	Version
changed	b64	3.x.x → 4.x.x
changed	boom	5.x.x → 7.x.x
changed	hoek	4.x.x → 6.x.x
changed	nigel	2.x.x → 3.x.x
changed	content	3.x.x → 4.x.x

File Changes

0 added 0 removed 4 modified size delta: .0 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-g64q-3vg8-8f93`	osv	reject	AI	AI (osv): Prototype Pollution affects all versions of pez with no fix; package is deprecated in favor of @hapi/pez. Verdict generalizes to every version of this package.

SAST Findings (3)

CRITICAL GHSA-g64q-3vg8-8f93: Prototype Pollution in pez osv

[Always reject] All versions of `pez` are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed. ## Recommendation This package is deprecated and is now maintained as `@hapi/pez`. Please update your dependencies to use `@hapi/pez`.

HIGH Publisher changed: cjihrig → hueniverse (on 2018-11-01) provenance

This version was published by a different npm account than previous versions on 2018-11-01. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 68. Findings: 1 critical (+40), 1 high (+25), 1 low (+3).

Commit: 7cd9718a0815 Browse source

Published to npm: 2018-11-01