sds @4.3.0
structured data search
Maintainers
Keywords
Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| karg | ^1.19.0 | auto_approved |
| klor | ^1.4.0 | auto_approved |
| noon | ^3.0.0 | auto_approved |
Dev Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| chai | ^4.2.0 | auto_approved |
| mocha | ^6.2.0 | auto_approved |
| koffee | ^1.3.0 | Not imported |
| lodash | ^4.17.15 | auto_approved |
Transitive Dependency Tree
Changes from v2.1.1
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | klor | ^1.4.0 |
| removed | colors | ^1.3.3 |
| removed | lodash | ^4.17.11 |
| removed | write-file-atomic | ^3.0.0 |
| changed | karg | ^1.13.0 → ^1.19.0 |
| changed | noon | ^2.5.0 → ^3.0.0 |
File Changes
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-ph28-wwfj-fv7f |
osv | reject | AI | AI (osv): Prototype Pollution (CVSS 7.5 HIGH) affects all versions 0.0.0–4.4.0 with no fix available; verdict generalizes to every version in this range. |
SAST Findings (2)
[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to CVE-2020-7618
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3).
Commit: 8ec215af993e Browse source
Published to npm: