All @microsoft/node-core-library versions
@microsoft/node-core-library @4.0.1
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
34
Risk Score
MIT
License
No
Install Scripts
0
Dependencies
0
Dev Dependencies
.7 KB
Package Size
Published
(Please use "@rushstack/node-core-library" instead.)
Maintainers
microsoftodspnpm
Changes from v3.19.3
Dependency Changes
| Change | Package | Version |
|---|---|---|
| removed | jju | ~1.4.0 |
| removed | colors | ~1.2.1 |
| removed | semver | ~5.3.0 |
| removed | timsort | ~0.3.0 |
| removed | fs-extra | ~7.0.1 |
| removed | z-schema | ~3.18.3 |
| removed | @types/node | 10.17.13 |
Script Changes
+ postinstall - buildFile Changes
1 added
109 removed
2 modified
size delta: -596.4 KB
Risk Dispositions (3 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
bogus-package |
bogus-package | reject | AI | AI (bogus-package): Version 0.0.0 is a content-free stub with no code, no metadata, and no dependencies — clearly not a functional release of this package. | |
install-script:postinstall |
install-scripts | reject | AI | AI (install-scripts): Postinstall was newly added in this version alongside a 100% source size drop and removal of all deps — strongly indicative of a hollowed-out/malicious stub. Not a stable pattern for this package. | |
source-size-dropped |
source-diff | reject | AI | AI (source-diff): 282 KB → 787 B drop (100%) combined with new postinstall and stripped deps is a strong supply-chain compromise indicator for this package. |
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
suspicious-initial-version |
npm-metadata | reject | AI | AI (npm-metadata): 0.0.0 version with zero content confirms this is a placeholder/stub, not a legitimate release. |
SAST Findings (2)
HIGH
Package has 'postinstall' script
install-scripts
Script: node postinstall.js
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 34. Findings: 1 high (+25), 3 low (+9).
Published to npm: