[email protected] rejected Risk: 63 No license 2026-05-19

size-sensor @1.0.4

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

—

License

Yes

Install Scripts

Dependencies

Dev Dependencies

5.3 KB

Package Size

2026-05-19

Published

Maintainers

atool

Keywords

resizesizesensorsize-detectorelement

Dev Dependencies (14)

Package	Constraint	Registry Status
jest	^24.9.0	auto_approved
rimraf	^2.6.2	auto_approved
rollup	^1.21.4	auto_approved
cross-env	^5.1.3	No greenflagged match
@babel/cli	^7.6.0	auto_approved
babel-jest	^24.9.0	auto_approved
limit-size	^0.1.2	Not imported
@babel/core	^7.6.0	auto_approved
jest-electron	^0.1.6	Not imported
@babel/preset-env	^7.6.0	auto_approved
rollup-plugin-babel	^4.3.3	auto_approved
babel-plugin-version	^0.2.1	Not imported
rollup-plugin-uglify	^6.0.3	auto_approved
rollup-plugin-node-resolve	^5.2.0	auto_approved

Changes from v1.0.3

No metadata changes detected.

File Changes

0 added 0 removed 1 modified size delta: +.1 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`url-dep:@antv/setup`	npm-metadata	reject	AI	AI (npm-metadata): SHA-pinned GitHub dep in optionalDependencies on unrelated repo; classic supply-chain attack vector.

SAST Findings (3)

HIGH SHA-pinned github dependency (optionalDependencies): @antv/setup npm-metadata

Dependency '@antv/setup' in `optionalDependencies` points to 'github:antvis/G2#7cb42f57561c321ecb09b4552802ae0ac55b3a7a' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atool.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 63. Findings: 2 high (+50), 1 medium (+10), 1 low (+3).

Published to npm: 2026-05-19