printf @0.5.3
Full implementation of the `printf` family in pure JS.
Maintainers
Keywords
Dev Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| mocha | 5.1.0 | auto_approved |
| semver | 5.5.0 | No greenflagged match |
| should | 13.2.1 | auto_approved |
| coffeescript | ^2.2.4 | auto_approved |
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-xfhp-gmh8-r8v2 |
osv | reject | AI | AI (osv): ReDoS vulnerability affects all versions < 0.6.1; fix exists in 0.6.1. This advisory generalizes to all versions of this package below the fix threshold. |
SAST Findings (2)
[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string ```regex /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g ``` in `lib/printf.js`. The vulnerable regular expression has cubic worst-case time complexity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Commit: b8b59c576ad6 Browse source
Published to npm: