[email protected] rejected Risk: 100 No license 2024-10-21

redux-mock-store @1.5.5

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

100

Risk Score

—

License

Install Scripts

Dependencies

Dev Dependencies

9.3 KB

Package Size

2024-10-21

Published

Maintainers

dmitry-zaetseskimojo

Dependencies (1)

Package	Constraint	Registry Status
lodash.isplainobject	^4.0.6	auto_approved

Dev Dependencies (18)

Package	Constraint	Registry Status
mocha	^2.3.3	auto_approved
redux	^3.0.4	auto_approved
sinon	^1.17.2	auto_approved
expect	^1.12.2	auto_approved
rimraf	^2.4.3	auto_approved
rollup	^0.45.1	auto_approved
standard	^7.1.2	auto_approved
babel-cli	^6.11.4	auto_approved
cross-env	^5.0.1	No greenflagged match
babel-core	^6.13.2	auto_approved
redux-thunk	^2.0.1	auto_approved
babel-preset-env	^1.6.1	auto_approved
rollup-plugin-babel	^2.7.1	auto_approved
rollup-plugin-uglify	^2.0.1	auto_approved
rollup-plugin-replace	^1.1.1	auto_approved
rollup-plugin-commonjs	^8.2.6	auto_approved
rollup-plugin-node-resolve	^3.0.0	auto_approved
babel-plugin-external-helpers	^6.22.0	auto_approved

Transitive Dependency Tree

1 transitive deps max depth 1

├─ lodash.isplainobject ^4.0.6 → 4.0.6

Changes from v1.5.4

Dependency Changes

Script Changes

+ build+ test:es+ build:es+ test:cjs+ build:cjs+ build:umd+ test:unit+ build:umd:min

File Changes

5 added 3 removed 2 modified size delta: +30.2 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`publisher-changed`	provenance	reject	AI	AI (provenance): Publisher changed from original maintainer after years of dormancy; strong takeover signal for this package.
`dormant-publish`	publish-pattern	reject	AI	AI (publish-pattern): 2985 days of inactivity before this publish; combined with publisher change, high takeover risk.

SAST Findings (5)

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: eskimojo.

HIGH Publisher changed: dmitry-zaets → eskimojo (on 2024-10-21) provenance

This version was published by a different npm account than previous versions on 2024-10-21. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New file with network + code execution: dist/index-es.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/index-umd.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 143). Findings: 4 high (+100), 4 medium (+40), 1 low (+3).

Published to npm: 2024-10-21