All subtext versions

[email protected] rejected Risk: 98 BSD-3-Clause

subtext @5.1.3

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
98
Risk Score
BSD-3-Clause
License
No
Install Scripts
6
Dependencies
3
Dev Dependencies
4.2 KB
Package Size
Published

HTTP payload parsing

Maintainers

nargonathdevinivymarsupnlf

Keywords

httppayloadfilestreammultipart

Dependencies (6)

PackageConstraintRegistry Status
pez 2.x.x auto_approved
boom 5.x.x auto_approved
hoek 4.x.x auto_approved
wreck 12.x.x auto_approved
bourne 1.x.x auto_approved
content ^3.1.1 No greenflagged match

Dev Dependencies (3)

PackageConstraintRegistry Status
lab 14.x.x auto_approved
code 4.x.x auto_approved
form-data 2.1.x No greenflagged match

Transitive Dependency Tree

9 transitive deps max depth 4
  ├─ boom 5.x.x → 5.3.3
  ├─ bourne 1.x.x → 1.3.3
  ├─ content ^3.1.1
  ├─ hoek 4.x.x → 4.3.1
  ├─ pez 2.x.x → 2.2.2
├─ wreck 12.x.x → 12.6.2
  ├─ b64 3.x.x → 3.0.3
  ├─ boom 5.x.x → 5.3.3
  ├─ content ^3.1.1 → 3.1.2
  ├─ hoek 4.x.x → 4.3.1
├─ nigel 2.x.x → 2.0.2
  ├─ hoek 4.x.x → 4.3.1
├─ vise 2.x.x → 2.0.2
  ├─ hoek 4.x.x → 4.3.1

Changes from v4.4.1

Dependency Changes

ChangePackageVersion
added bourne 1.x.x
changed content 3.x.x → ^3.1.1

License Changed

BSD-3-Clause → SEE LICENSE IN LICENSE.md

File Changes

1 added 1 removed 4 modified size delta: -.4 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-2mvq-xp48-4c77 osv reject AI AI (osv): Advisory covers all versions of subtext with no fix available; the package is abandoned in favor of @hapi/subtext. Verdict generalizes to every published version of this package.

SAST Findings (3)

CRITICAL GHSA-2mvq-xp48-4c77: Denial of Service in subtext osv

[Always reject] All versions of `subtext` are vulnerable to Denial of Service (DoS). The package fails to enforce the `maxBytes` configuration for payloads with chunked encoding that are written to the file system. This allows attackers to send requests with arbitrary payload sizes, which may exhaust system resources leading to Denial of Service. ## Recommendation This package is not actively maintained and has been moved to `@hapi/subtext` where version 6.1.2.

HIGH Publisher changed: hueniverse → nargonath (on 2024-01-06) provenance

This version was published by a different npm account than previous versions on 2024-01-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 98. Findings: 1 critical (+40), 1 high (+25), 3 medium (+30), 1 low (+3), 1 info (+0).

Commit: 0537f626f42b Browse source

Published to npm: