All useragent versions

[email protected] rejected Risk: 38 MIT

useragent @2.3.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
38
Risk Score
MIT
License
Yes
Install Scripts
2
Dependencies
6
Dev Dependencies
39.8 KB
Package Size
Published

Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing

Maintainers

v13rdeden

Keywords

agentbrowserbrowserscopeosparseparseruaua-parseua-parseruser agentuseruser-agentuseragentversion

Dependencies (2)

PackageConstraintRegistry Status
tmp 0.0.x No greenflagged match
lru-cache 4.1.x auto_approved

Dev Dependencies (6)

PackageConstraintRegistry Status
mocha 5.0.x auto_approved
assume 1.5.x No greenflagged match
semver 5.5.x No greenflagged match
request 2.83.x No greenflagged match
pre-commit 1.2.x auto_approved
yamlparser 0.0.x auto_approved

Transitive Dependency Tree

4 transitive deps max depth 2
  ├─ lru-cache 4.1.x → 4.1.5
├─ tmp 0.0.x
  ├─ pseudomap ^1.0.2 → 1.0.2
  ├─ yallist ^2.1.2 → 2.1.2

Changes from v0.1.2

Dependency Changes

ChangePackageVersion
added tmp 0.0.x
added lru-cache 4.1.x

Script Changes

+ qa+ test+ update+ prepublish

License Changed

none → MIT

File Changes

13 added 7 removed 2 modified size delta: -799.9 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-mgfv-m47x-4wqp osv reject AI AI (osv): ReDoS vulnerability (CVSS 7.5) affects all versions <= 2.3.0 with no fix published. Verdict generalizes to all versions in the affected range.

SAST Findings (2)

HIGH GHSA-mgfv-m47x-4wqp: useragent Regular Expression Denial of Service vulnerability osv

CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). ## PoC ```js async function exploit() { const useragent = require(\"useragent\"); // Create a malicious user-agent that leads to excessive backtracking const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0'; // Parse the malicious user-agent const agent = useragent.parse(maliciousUserAgent); // Call the toString method to trigger the vulnerability const result = await agent.device.toString(); console.log(result); } await exploit(); ```

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 38. Findings: 1 high (+25), 1 medium (+10), 1 low (+3).

Commit: 6acaca729fd2 Browse source

Published to npm: