All @asyncapi/generator-helpers versions

@asyncapi/generator-helpers @1.1.1

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
100
Risk Score
Apache-2.0
License
No
Install Scripts
0
Dependencies
1
Dev Dependencies
18.4 KB
Package Size
Published

Package with reusable helpers that make it easier to work with AsyncAPI structures.

Maintainers

fmvilasderbergasyncapi-bot

Dev Dependencies (1)

PackageConstraintRegistry Status
jest ^28.1.3 auto_approved

Changes from v1.1.0

No metadata changes detected.

File Changes

1 added 0 removed 6 modified size delta: +17.8 KB

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
encoded-string-file:src/utils.js source-diff reject AI AI (source-diff): Injected javascript-obfuscator payload in src/utils.js spawns a detached hidden child process at load; malicious.
semgrep:obfuscation-while-true semgrep reject AI AI (semgrep): while(!![]) is the obfuscator preamble wrapping the injected backdoor in src/utils.js.
semgrep:obfuscation-hex-functions semgrep reject AI AI (semgrep): _0x hex functions are the obfuscated injected dropper; not present in legit upstream helpers.

SAST Findings (5)

HIGH Long encoded string in modified file: src/utils.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads. Artifact: obfuscated (_0x-array) — true obfuscation signature.

HIGH obfuscation-while-true: src/utils.js:77 semgrep

while(!![]) loop is a signature of javascript-obfuscator output Source: https://github.com/asyncapi/generator/blob/3eab3ec9304aa26081358330491d3cfeb55cc245/src/utils.js#L77 75 | .join('_'); 76 | }; > 77 | 78 | const toCamelCase = (inputStr) => { 79 | return inputStr

HIGH obfuscation-hex-functions: src/utils.js:77 semgrep

Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/asyncapi/generator/blob/3eab3ec9304aa26081358330491d3cfeb55cc245/src/utils.js#L77 75 | .join('_'); 76 | }; > 77 | 78 | const toCamelCase = (inputStr) => { 79 | return inputStr

HIGH obfuscation-hex-functions: src/utils.js:77 semgrep

Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/asyncapi/generator/blob/3eab3ec9304aa26081358330491d3cfeb55cc245/src/utils.js#L77 75 | .join('_'); 76 | }; > 77 | 78 | const toCamelCase = (inputStr) => { 79 | return inputStr

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Review Summary

Risk score: 100 (capped from 130). Findings: 4 high (+100), 3 medium (+30), 2 info (+0).

Commit: 3eab3ec9304a Browse source

Published to npm: