All @heroku-cli/color versions
@heroku-cli/color @1.1.9
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
81
Risk Score
—
License
No
Install Scripts
5
Dependencies
16
Dev Dependencies
10.1 KB
Package Size
Published
Maintainers
alindemanalouie-sfdcamerinebigkevmcdbrettgouldercodefingercyberdeliacyxdickeyxxxdmathieuhalorgiumhoneidangazitjoshwlewisojacobsonransombriggsrasphilcoraulbryanbrainardsibsonsigmavirus24stephenbarlowtroelsthomsenuhoh-itsmaciekyann_ck
Keywords
herokuheroku-cli-plugin
Dependencies (5)
| Package | Constraint | Registry Status |
|---|---|---|
| chalk | ^2.4.1 | auto_approved |
| tslib | ^1.9.3 | auto_approved |
| strip-ansi | ^4.0.0 | auto_approved |
| ansi-styles | ^3.2.1 | auto_approved |
| supports-color | ^5.4.0 | auto_approved |
Dev Dependencies (16)
| Package | Constraint | Registry Status |
|---|---|---|
| jest | ^23.2.0 | auto_approved |
| husky | 0.14.3 | auto_approved |
| tslint | ^5.10.0 | auto_approved |
| del-cli | 1.1.0 | auto_approved |
| ts-jest | ^22.4.6 | pending |
| prettier | ^1.13.7 | auto_approved |
| typescript | 2.9.2 | auto_approved |
| @types/jest | ^23.1.3 | auto_approved |
| @types/node | 10.5.1 | auto_approved |
| lint-staged | 7.2.0 | auto_approved |
| @types/chalk | 2.2.0 | auto_approved |
| @cli-engine/util | ^1.2.12 | Not imported |
| @heroku-cli/tslint | ^1.1.4 | Not imported |
| @types/ansi-styles | 3.2.0 | auto_approved |
| @types/supports-color | 5.3.0 | auto_approved |
| javascript-obfuscator | ^0.17.0 | auto_approved |
Transitive Dependency Tree
10 transitive deps
max depth 4
├─
ansi-styles
^3.2.1
→ 3.2.1
├─
chalk
^2.4.1
→ 2.4.2
├─
strip-ansi
^4.0.0
→ 4.0.0
├─
supports-color
^5.4.0
→ 5.5.0
├─
tslib
^1.9.3
→ 1.14.1
├─
ansi-regex
^3.0.0
→ 3.0.1
├─
ansi-styles
^3.2.1
→ 3.2.1
├─
color-convert
^1.9.0
→ 1.9.3
├─
escape-string-regexp
^1.0.5
→ 1.0.5
├─
has-flag
^3.0.0
→ 3.0.0
├─
supports-color
^5.3.0
→ 5.5.0
├─
color-convert
^1.9.0
→ 1.9.3
├─
color-name
1.1.3
→ 1.1.3
├─
has-flag
^3.0.0
→ 3.0.0
├─
color-name
1.1.3
→ 1.1.3
Changes from v1.1.3
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | tslib | ^1.9.3 |
| changed | chalk | ^2.3.0 → ^2.4.1 |
| changed | ansi-styles | ^3.2.0 → ^3.2.1 |
| changed | supports-color | ^5.1.0 → ^5.4.0 |
File Changes
4 added
0 removed
3 modified
size delta: +29.6 KB
Risk Dispositions (3 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
semgrep:dynamic-require |
semgrep | reject | AI | AI (semgrep): Dynamic requires in this package are artifacts of intentional javascript-obfuscator obfuscation in the build pipeline — a malware indicator, not a false positive. | |
source-size-tripled |
source-diff | reject | AI | AI (source-diff): 13.2x size increase is directly caused by obfuscation payload injection; not a legitimate growth pattern for this color utility. | |
missing-githead |
provenance | reject | AI | AI (provenance): Missing gitHead coincides with introduction of obfuscated build pipeline, indicating altered publish environment. |
SAST Findings (2)
HIGH
Missing gitHead — previous versions had it
provenance
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 81. Findings: 1 high (+25), 5 medium (+50), 2 low (+6), 4 info (+0).
Published to npm: