All sds versions

[email protected] rejected Risk: 63 Unlicense

sds @3.2.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
63
Risk Score
Unlicense
License
No
Install Scripts
3
Dependencies
4
Dev Dependencies
18.5 KB
Package Size
Published

structured data search

Maintainers

monsterkodi

Keywords

jsonnoonyamlstructureddatasearch

Dependencies (3)

PackageConstraintRegistry Status
karg ^1.19.0 auto_approved
klor ^1.1.1 auto_approved
noon ^2.14.1 auto_approved

Dev Dependencies (4)

PackageConstraintRegistry Status
chai ^4.2.0 auto_approved
mocha ^6.1.4 auto_approved
koffee ^1.3.0 Not imported
lodash ^4.17.11 auto_approved

Transitive Dependency Tree

9 transitive deps max depth 4
  ├─ karg ^1.19.0 → 1.26.0
  ├─ klor ^1.1.1 → 1.8.0
├─ noon ^2.14.1 → 2.15.0
  ├─ js-yaml ^3.13.1 → 3.14.2
  ├─ karg ^1.19.0 → 1.26.0
  ├─ klor ^1.4.0 → 1.8.0
  ├─ klor ^2.16.1 → 2.17.0
  ├─ lodash.defaults ^4.2.0 → 4.2.0
  ├─ lodash.pad ^4.5.1 → 4.5.1
├─ noon ^3.1.0 → 3.5.0
  ├─ argparse ^1.0.7 → 1.0.10
  ├─ esprima ^4.0.0 → 4.0.1
├─ klor ^2.16.1 → 2.17.0
  ├─ sprintf-js ~1.0.2 → 1.0.3

Changes from v2.1.1

Dependency Changes

ChangePackageVersion
added klor ^1.1.1
removed colors ^1.3.3
removed lodash ^4.17.11
removed write-file-atomic ^3.0.0
changed karg ^1.13.0 → ^1.19.0
changed noon ^2.5.0 → ^2.14.1

File Changes

1 added 2 removed 10 modified size delta: -18.7 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-ph28-wwfj-fv7f osv reject AI AI (osv): Prototype Pollution (CVSS 7.5 HIGH) affects all versions 0.0.0–4.4.0 with no fix available; verdict generalizes to every version in this range.

SAST Findings (3)

CRITICAL GHSA-ph28-wwfj-fv7f: Prototype Pollution in sds osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to CVE-2020-7618

MEDIUM GHSA-cxm3-284p-qc4v: Prototype Pollution in sds osv

CVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Affected versions of `sds` are vulnerable to prototype pollution. The `set` function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. ## Recommendation Upgrade to version 4.0.0 or later

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 63. Findings: 1 critical (+40), 2 medium (+20), 1 low (+3).

Commit: 0dedd4e97d02 Browse source

Published to npm: