timespan @2.2.0
A JavaScript TimeSpan library for node.js (and soon the browser)
Keywords
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| vows | >= 0.5.2 | auto_approved |
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-f523-2f5j-gfcg |
osv | reject | AI | AI (osv): ReDoS vulnerability with no fix available; affects all versions <= 2.3.0. No patched version exists, so this rejection generalizes to all published versions of this package. |
SAST Findings (2)
[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected versions of `timespan` are vulnerable to a regular expression denial of service when parsing dates. The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds. ## Recommendation No direct patch is available for this vulnerability. Currently, the best available solution is to use a functionally equivalent alternative package. It is also sufficient to ensure that user input is not being passed into `timespan`, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Published to npm: