All art-template versions

[email protected] rejected Risk: 100 MIT

art-template @4.13.3

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
No
Install Scripts
8
Dependencies
11
Dev Dependencies
10.2 KB
Package Size
Published

JavaScript Template Engine

Maintainers

daughtrymomv4v5qc

Keywords

template

Dependencies (8)

PackageConstraintRegistry Status
acorn ^5.0.3 auto_approved
escodegen ^1.8.1 auto_approved
js-tokens ^3.0.1 auto_approved
estraverse ^4.2.0 auto_approved
source-map ^0.5.6 auto_approved
html-minifier ^3.4.3 rejected
is-keyword-js ^1.0.3 auto_approved
merge-source-map ^1.0.3 auto_approved

Dev Dependencies (11)

PackageConstraintRegistry Status
mocha ^5.2.0 auto_approved
eslint ^3.19.0 auto_approved
webpack ^3.0.0 auto_approved
istanbul ^0.4.5 needs_review
prettier ^1.14.2 auto_approved
babel-cli ^6.26.0 pending
coveralls ^2.13.0 auto_approved
node-noop ^1.0.0 auto_approved
eslint-loader ^1.7.1 auto_approved
babel-preset-env ^1.7.0 auto_approved
eslint-plugin-prettier ^2.6.2 auto_approved

Transitive Dependency Tree

17 transitive deps max depth 3
  ├─ acorn ^5.0.3 → 5.7.4
  ├─ escodegen ^1.8.1 → 1.14.3
  ├─ estraverse ^4.2.0 → 4.3.0
  ├─ html-minifier ^3.4.3
  ├─ is-keyword-js ^1.0.3 → 1.0.3
  ├─ js-tokens ^3.0.1 → 3.0.2
  ├─ merge-source-map ^1.0.3 → 1.1.0
├─ source-map ^0.5.6 → 0.5.7
  ├─ esprima ^4.0.1 → 4.0.1
  ├─ estraverse ^4.2.0 → 4.3.0
  ├─ esutils ^2.0.2 → 2.0.3
  ├─ optionator ^0.8.1 → 0.8.2
  ├─ source-map ~0.6.1 → 0.6.1
├─ source-map ^0.6.1 → 0.6.1
  ├─ deep-is ~0.1.3 → 0.1.4
  ├─ fast-levenshtein ~2.0.4
  ├─ levn ~0.3.0
  ├─ prelude-ls ~1.1.2
  ├─ type-check ~0.3.2
  ├─ wordwrap ~1.0.0 → 1.0.0

Changes from v4.13.2

No metadata changes detected.

File Changes

0 added 23 removed 5 modified size delta: -56.6 KB

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
maintainer-takeover maintainer-change reject AI AI (maintainer-change): Complete replacement of original maintainer aui by new accounts with no prior history on this package; combined with repo URL change to a fork, this is a clear hijack signal.
publisher-changed provenance reject AI AI (provenance): Publisher changed from original author aui to v4v5qc, a new account with minimal history, coinciding with repo URL change and source size drop.

SAST Findings (4)

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (aui) were replaced by new maintainers (daughtrymom, v4v5qc). This is a strong signal of a potential package hijack and requires careful review.

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: v4v5qc.

HIGH Publisher changed: aui → v4v5qc (on 2025-03-12) provenance

This version was published by a different npm account than previous versions on 2025-03-12. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 155). Findings: 3 high (+75), 5 medium (+50), 10 low (+30).

Published to npm: