@clerk/express @1.7.78
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
55
Risk Score
MIT
License
No
Install Scripts
4
Dependencies
4
Dev Dependencies
16.7 KB
Package Size
Published
Clerk server SDK for usage with Express
Maintainers
colinclerkbradenclerknikosdouvlischanioxarisjescalanbkalowdominic-clerkmwickett
Keywords
clerksdkexpress
Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| tslib | 2.8.1 | auto_approved |
| @clerk/types | ^4.101.22 | pending |
| @clerk/shared | ^3.47.4 | auto_approved |
| @clerk/backend | ^2.33.2 | pending |
Dev Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| express | ^4.21.2 | auto_approved |
| supertest | ^6.3.4 | auto_approved |
| @types/express | ^4.17.23 | auto_approved |
| @types/supertest | ^6.0.3 | pending |
Transitive Dependency Tree
10 transitive deps
max depth 3
├─
@clerk/backend
^2.33.2
├─
@clerk/shared
^3.47.4
→ 3.47.4
├─
tslib
2.8.1
→ 2.8.1
├─
csstype
3.1.3
├─
dequal
2.0.3
→ 2.0.3
├─
glob-to-regexp
0.4.1
→ 0.4.1
├─
js-cookie
3.0.5
→ 3.0.5
├─
std-env
^3.9.0
├─
swr
2.3.4
→ 2.3.4
├─
dequal
^2.0.3
→ 2.0.3
├─
use-sync-external-store
^1.4.0
→ 1.6.0
Changes from v2.1.3
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | @clerk/types | ^4.101.22 |
| changed | @clerk/shared | ^4.8.1 → ^3.47.4 |
| changed | @clerk/backend | ^3.2.11 → ^2.33.2 |
Script Changes
+ dev:publish+ publish:local - dev:pubFile Changes
2 added
8 removed
11 modified
size delta: -21.7 KB
Risk Dispositions (0 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-gjxx-92w9-8v8f |
osv | reject | AI | AI (osv): SSRF vulnerability leaking secret keys; affected range covers 2.0.0–2.0.6; fix available in 2.0.7. Reject generalizes to all affected versions. |
SAST Findings (2)
HIGH
Publisher changed: GitHub Actions → dominic-clerk (on 2026-04-15)
provenance
This version was published by a different npm account than previous versions on 2026-04-15. This could indicate a legitimate maintainer transition or an account compromise.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Review Summary
Risk score: 55. Findings: 1 high (+25), 3 medium (+30), 2 info (+0).
Published to npm: