sds @4.4.0
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
38
Risk Score
Unlicense
License
No
Install Scripts
3
Dependencies
4
Dev Dependencies
20.4 KB
Package Size
Published
structured data search
Maintainers
monsterkodi
Keywords
jsonnoonstructureddatasearch
Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| karg | ^1.19.0 | auto_approved |
| klor | ^1.4.0 | auto_approved |
| noon | ^3.0.0 | auto_approved |
Dev Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| chai | ^4.2.0 | auto_approved |
| mocha | ^6.2.0 | auto_approved |
| koffee | ^1.3.0 | Not imported |
| lodash | ^4.17.15 | auto_approved |
Transitive Dependency Tree
3 transitive deps
max depth 3
├─
karg
^1.19.0
→ 1.26.0
├─
klor
^1.4.0
→ 1.8.0
├─
noon
^3.0.0
→ 3.5.0
├─
karg
^1.26.0
→ 1.26.0
├─
klor
^2.16.1
→ 2.17.0
├─
noon
^3.1.0
→ 3.5.0
├─
klor
^2.16.1
→ 2.17.0
Changes from v2.1.1
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | klor | ^1.4.0 |
| removed | colors | ^1.3.3 |
| removed | lodash | ^4.17.11 |
| removed | write-file-atomic | ^3.0.0 |
| changed | karg | ^1.13.0 → ^1.19.0 |
| changed | noon | ^2.5.0 → ^3.0.0 |
File Changes
1 added
2 removed
11 modified
size delta: -10.9 KB
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-ph28-wwfj-fv7f |
osv | reject | AI | AI (osv): Prototype Pollution (CVSS 7.5 HIGH) affects all versions 0.0.0–4.4.0 with no fix available; verdict generalizes to every version in this range. |
SAST Findings (2)
HIGH
GHSA-ph28-wwfj-fv7f: Prototype Pollution in sds
osv
CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to CVE-2020-7618
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 38. Findings: 1 high (+25), 1 medium (+10), 1 low (+3).
Commit: 362f9a3d1cdb Browse source
Published to npm: