timespan @2.3.0
A JavaScript TimeSpan library for node.js (and soon the browser)
Maintainers
Keywords
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| vows | >= 0.7.0 | auto_approved |
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-f523-2f5j-gfcg |
osv | reject | AI | AI (osv): ReDoS vulnerability with no fix available; affects all versions <= 2.3.0. No patched version exists, so this rejection generalizes to all published versions of this package. |
SAST Findings (2)
CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected versions of `timespan` are vulnerable to a regular expression denial of service when parsing dates. The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds. ## Recommendation No direct patch is available for this vulnerability. Currently, the best available solution is to use a functionally equivalent alternative package. It is also sufficient to ensure that user input is not being passed into `timespan`, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 38. Findings: 1 high (+25), 1 medium (+10), 1 low (+3).
Published to npm: