All @asyncapi/specs versions

@asyncapi/specs @6.11.2

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
100
Risk Score
License
No
Install Scripts
1
Dependencies
9
Dev Dependencies
345.8 KB
Package Size
Published

Maintainers

fmvilasderbergasyncapi-bot

Dependencies (1)

PackageConstraintRegistry Status
@types/json-schema ^7.0.11 auto_approved

Dev Dependencies (9)

PackageConstraintRegistry Status
ajv ^8.12.0 auto_approved
nyc ^18.0.0 auto_approved
eslint ^8.56.0 auto_approved
vitest ^4.1.0 auto_approved
ajv-formats ^3.0.1 auto_approved
ajv-draft-04 ^1.0.0 auto_approved
vite-require ^0.2.3 Not imported
eslint-plugin-sonarjs ^0.23.0 auto_approved
conventional-changelog-conventionalcommits ^9.1.0 auto_approved

Transitive Dependency Tree

1 transitive deps max depth 1
  ├─ @types/json-schema ^7.0.11 → 7.0.15

Changes from v6.11.1

No metadata changes detected.

File Changes

0 added 0 removed 9 modified size delta: +3.6 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
semgrep:silent-process-exec semgrep reject AI AI (semgrep): Detached obfuscated node -e payload in index.js; no legitimate use in a schema package.
semgrep:obfuscation-hex-functions semgrep reject AI AI (semgrep): javascript-obfuscator payload injected into main entrypoint; malicious.

SAST Findings (6)

HIGH silent-process-exec: index.js:9 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/asyncapi/spec-json-schemas/blob/689f5b96693ab1f82a825b6d7c4ee566b0afc4c6/index.js#L9 7 | async function main() { 8 | try { > 9 | const child = spawn('node', ['-e', `const _0x5af5e1=_0x285e;function _0x285e(_0x5438ad,_0xf2f66b){_0x5438ad=_0x5 10 | detached: true, 11 | stdio: 'ignore',

HIGH silent-process-exec-var: index.js:9 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/asyncapi/spec-json-schemas/blob/689f5b96693ab1f82a825b6d7c4ee566b0afc4c6/index.js#L9 7 | async function main() { 8 | try { > 9 | const child = spawn('node', ['-e', `const _0x5af5e1=_0x285e;function _0x285e(_0x5438ad,_0xf2f66b){_0x5438ad=_0x5 10 | detached: true, 11 | stdio: 'ignore',

HIGH obfuscation-hex-functions: index.js:9 semgrep

Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/asyncapi/spec-json-schemas/blob/689f5b96693ab1f82a825b6d7c4ee566b0afc4c6/index.js#L9 7 | async function main() { 8 | try { > 9 | const child = spawn('node', ['-e', `const _0x5af5e1=_0x285e;function _0x285e(_0x5438ad,_0xf2f66b){_0x5438ad=_0x5 10 | detached: true, 11 | stdio: 'ignore',

HIGH obfuscation-while-true: index.js:9 semgrep

while(!![]) loop is a signature of javascript-obfuscator output Source: https://github.com/asyncapi/spec-json-schemas/blob/689f5b96693ab1f82a825b6d7c4ee566b0afc4c6/index.js#L9 7 | async function main() { 8 | try { > 9 | const child = spawn('node', ['-e', `const _0x5af5e1=_0x285e;function _0x285e(_0x5438ad,_0xf2f66b){_0x5438ad=_0x5 10 | detached: true, 11 | stdio: 'ignore',

HIGH obfuscation-hex-functions: index.js:9 semgrep

Hex-prefixed function names (_0x...) are generated by javascript-obfuscator Source: https://github.com/asyncapi/spec-json-schemas/blob/689f5b96693ab1f82a825b6d7c4ee566b0afc4c6/index.js#L9 7 | async function main() { 8 | try { > 9 | const child = spawn('node', ['-e', `const _0x5af5e1=_0x285e;function _0x285e(_0x5438ad,_0xf2f66b){_0x5438ad=_0x5 10 | detached: true, 11 | stdio: 'ignore',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Review Summary

Risk score: 100 (capped from 125). Findings: 5 high (+125), 6 info (+0).

Commit: 689f5b96693a Browse source

Published to npm: