printf @0.2.5
Full implementation of the `printf` family in pure JS.
Maintainers
Keywords
Dev Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| mocha | 2.5.3 | auto_approved |
| semver | 5.1.1 | No greenflagged match |
| should | 9.0.2 | auto_approved |
| coffee-script | 1.10.0 | auto_approved |
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-xfhp-gmh8-r8v2 |
osv | reject | AI | AI (osv): ReDoS vulnerability affects all versions < 0.6.1; fix exists in 0.6.1. This advisory generalizes to all versions of this package below the fix threshold. |
SAST Findings (2)
[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string ```regex /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g ``` in `lib/printf.js`. The vulnerable regular expression has cubic worst-case time complexity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Commit: f2a6a6d8a52c Browse source
Published to npm: