All @redhat-cloud-services/topological-inventory-client versions
@redhat-cloud-services/topological-inventory-client @3.0.11
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
63
Risk Score
Apache-2.0
License
No
Install Scripts
2
Dependencies
0
Dev Dependencies
1155.8 KB
Package Size
Published
Maintainers
jozefhartingerkarelhalahyperkidflorkbrchmulder
Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| tslib | ^2.6.2 | auto_approved |
| @redhat-cloud-services/javascript-clients-shared | ^2.0.5 | auto_approved |
Transitive Dependency Tree
31 transitive deps
max depth 6
├─
@redhat-cloud-services/javascript-clients-shared
^2.0.5
→ 2.0.12
├─
tslib
^2.6.2
→ 2.8.1
├─
axios
^1.15.0
→ 1.18.1
├─
follow-redirects
^1.16.0
→ 1.16.0
├─
form-data
^4.0.5
→ 4.0.6
├─
https-proxy-agent
^5.0.1
→ 5.0.1
├─
proxy-from-env
^2.1.0
→ 2.1.0
├─
agent-base
6
→ 6.0.2
├─
asynckit
^0.4.0
→ 0.4.0
├─
combined-stream
^1.0.8
→ 1.0.8
├─
debug
4
→ 4.4.3
├─
es-set-tostringtag
^2.1.0
→ 2.1.0
├─
hasown
^2.0.4
→ 2.0.4
├─
mime-types
^2.1.35
→ 2.1.35
├─
delayed-stream
~1.0.0
→ 1.0.0
├─
es-errors
^1.3.0
→ 1.3.0
├─
function-bind
^1.1.2
→ 1.1.2
├─
get-intrinsic
^1.2.6
→ 1.3.1
├─
has-tostringtag
^1.0.2
→ 1.0.2
├─
mime-db
1.52.0
├─
ms
^2.1.3
→ 2.1.3
├─
async-function
^1.0.0
├─
async-generator-function
^1.0.0
→ 1.0.0
├─
call-bind-apply-helpers
^1.0.2
→ 1.0.2
├─
es-define-property
^1.0.1
→ 1.0.1
├─
es-object-atoms
^1.1.1
→ 1.1.2
├─
generator-function
^2.0.0
→ 2.0.1
├─
get-proto
^1.0.1
├─
gopd
^1.2.0
→ 1.2.0
├─
has-symbols
^1.0.3
→ 1.1.0
├─
math-intrinsics
^1.1.0
→ 1.1.0
Changes from v3.0.9
Dependency Changes
Script Changes
+ preinstallFile Changes
0 added
0 removed
2 modified
size delta: +4177.0 KB
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
install-script:preinstall |
install-scripts | reject | AI | redhat-cloud-services supply-chain compromise (2026-06-01): injected preinstall hook. Auto-reject any version with a preinstall script. |
SAST Findings (3)
HIGH
Package has 'preinstall' script
install-scripts
Script: node index.js
HIGH
Missing gitHead — previous versions had it
provenance
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Review Summary
Risk score: 63. Findings: 2 high (+50), 1 medium (+10), 1 low (+3), 2 info (+0).
Published to npm: