All cloudflare versions

[email protected] rejected Risk: 100 No license

cloudflare @6.1.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
License
No
Install Scripts
7
Dependencies
0
Dev Dependencies
3568.8 KB
Package Size
Published

Maintainers

mgirouard-cfmusa-cfvaishakpdineshterinjokes

Dependencies (7)

PackageConstraintRegistry Status
node-fetch ^2.6.7 auto_approved
@types/node ^18.11.18 auto_approved
formdata-node ^4.3.2 auto_approved
agentkeepalive ^4.2.1 auto_approved
abort-controller ^3.0.0 auto_approved
@types/node-fetch ^2.6.4 auto_approved
form-data-encoder 1.7.2 auto_approved

Transitive Dependency Tree

37 transitive deps max depth 6
  ├─ @types/node ^18.11.18 → 18.19.130
  ├─ @types/node-fetch ^2.6.4 → 2.6.13
  ├─ abort-controller ^3.0.0 → 3.0.0
  ├─ agentkeepalive ^4.2.1 → 4.6.0
  ├─ form-data-encoder 1.7.2 → 1.7.2
  ├─ formdata-node ^4.3.2 → 4.4.1
├─ node-fetch ^2.6.7 → 2.6.13
  ├─ @types/node * → 25.6.0
  ├─ event-target-shim ^5.0.0
  ├─ form-data ^4.0.4 → 4.0.5
  ├─ humanize-ms ^1.2.1
  ├─ node-domexception 1.0.0 → 1.0.0
  ├─ undici-types ~5.26.4 → 5.26.5
  ├─ web-streams-polyfill 4.0.0-beta.3
├─ whatwg-url ^5.0.0 → 5.0.0
  ├─ asynckit ^0.4.0
  ├─ combined-stream ^1.0.8 → 1.0.8
  ├─ es-set-tostringtag ^2.1.0 → 2.1.0
  ├─ hasown ^2.0.2 → 2.0.3
  ├─ mime-types ^2.1.12 → 2.1.35
  ├─ tr46 ~0.0.3 → 0.0.3
  ├─ undici-types ~7.19.0 → 7.19.2
├─ webidl-conversions ^3.0.0 → 3.0.1
  ├─ delayed-stream ~1.0.0 → 1.0.0
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ function-bind ^1.1.2 → 1.1.2
  ├─ get-intrinsic ^1.2.6 → 1.3.1
  ├─ has-tostringtag ^1.0.2 → 1.0.2
  ├─ hasown ^2.0.2 → 2.0.3
├─ mime-db 1.52.0
  ├─ async-function ^1.0.0
  ├─ async-generator-function ^1.0.0 → 1.0.0
  ├─ call-bind-apply-helpers ^1.0.2 → 1.0.2
  ├─ es-define-property ^1.0.1 → 1.0.1
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ es-object-atoms ^1.1.1 → 1.1.1
  ├─ function-bind ^1.1.2 → 1.1.2
  ├─ generator-function ^2.0.0 → 2.0.1
  ├─ get-proto ^1.0.1
  ├─ gopd ^1.2.0
  ├─ has-symbols ^1.1.0 → 1.1.0
  ├─ has-symbols ^1.0.3 → 1.1.0
  ├─ hasown ^2.0.2 → 2.0.3
├─ math-intrinsics ^1.1.0 → 1.1.0
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ function-bind ^1.1.2 → 1.1.2

SAST Findings (9)

CRITICAL webhook-url: resources/alerting/destinations/webhooks.js:17 semgrep

Hardcoded webhook URL suggests data exfiltration Source: https://github.com/cloudflare/cloudflare-typescript/blob/a0eb463a9074b01703816eafdbf1280a9b27b4f5/resources/alerting/destinations/webhooks.js#L17 15 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 16 | * name: 'Slack Webhook', > 17 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 18 | * }); 19 | * ```

CRITICAL webhook-url: resources/alerting/destinations/webhooks.js:39 semgrep

Hardcoded webhook URL suggests data exfiltration Source: https://github.com/cloudflare/cloudflare-typescript/blob/a0eb463a9074b01703816eafdbf1280a9b27b4f5/resources/alerting/destinations/webhooks.js#L39 37 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 38 | * name: 'Slack Webhook', > 39 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 40 | * }, 41 | * );

CRITICAL webhook-url: resources/alerting/destinations/webhooks.mjs:14 semgrep

Hardcoded webhook URL suggests data exfiltration Source: https://github.com/cloudflare/cloudflare-typescript/blob/a0eb463a9074b01703816eafdbf1280a9b27b4f5/resources/alerting/destinations/webhooks.mjs#L14 12 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 13 | * name: 'Slack Webhook', > 14 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 15 | * }); 16 | * ```

CRITICAL webhook-url: resources/alerting/destinations/webhooks.mjs:36 semgrep

Hardcoded webhook URL suggests data exfiltration Source: https://github.com/cloudflare/cloudflare-typescript/blob/a0eb463a9074b01703816eafdbf1280a9b27b4f5/resources/alerting/destinations/webhooks.mjs#L36 34 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 35 | * name: 'Slack Webhook', > 36 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 37 | * }, 38 | * );

CRITICAL shady-links-exfil-services: resources/realtime-kit/webhooks.js:29 semgrep

URL pointing to known exfiltration/tunneling service Source: https://github.com/cloudflare/cloudflare-typescript/blob/a0eb463a9074b01703816eafdbf1280a9b27b4f5/resources/realtime-kit/webhooks.js#L29 27 | * ], 28 | * name: 'All events webhook', > 29 | * url: 'https://webhook.site/b23a5bbd-c7b0-4ced-a9e2-78ae7889897e', 30 | * }, 31 | * );

CRITICAL shady-links-exfil-services: resources/realtime-kit/webhooks.js:130 semgrep

URL pointing to known exfiltration/tunneling service Source: https://github.com/cloudflare/cloudflare-typescript/blob/a0eb463a9074b01703816eafdbf1280a9b27b4f5/resources/realtime-kit/webhooks.js#L130 128 | * ], 129 | * name: 'All events webhook', > 130 | * url: 'https://webhook.site/b23a5bbd-c7b0-4ced-a9e2-78ae7889897e', 131 | * }, 132 | * );

CRITICAL shady-links-exfil-services: resources/realtime-kit/webhooks.mjs:26 semgrep

URL pointing to known exfiltration/tunneling service Source: https://github.com/cloudflare/cloudflare-typescript/blob/a0eb463a9074b01703816eafdbf1280a9b27b4f5/resources/realtime-kit/webhooks.mjs#L26 24 | * ], 25 | * name: 'All events webhook', > 26 | * url: 'https://webhook.site/b23a5bbd-c7b0-4ced-a9e2-78ae7889897e', 27 | * }, 28 | * );

CRITICAL shady-links-exfil-services: resources/realtime-kit/webhooks.mjs:127 semgrep

URL pointing to known exfiltration/tunneling service Source: https://github.com/cloudflare/cloudflare-typescript/blob/a0eb463a9074b01703816eafdbf1280a9b27b4f5/resources/realtime-kit/webhooks.mjs#L127 125 | * ], 126 | * name: 'All events webhook', > 127 | * url: 'https://webhook.site/b23a5bbd-c7b0-4ced-a9e2-78ae7889897e', 128 | * }, 129 | * );

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Review Summary

Risk score: 100 (capped from 326). Findings: 8 critical (+320), 2 low (+6), 1 info (+0).

Commit: a0eb463a9074 Browse source

Published to npm: