All fsevents versions

[email protected] rejected Risk: 100 MIT

fsevents @1.2.4

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
Yes
Install Scripts
2
Dependencies
1
Dev Dependencies
766.5 KB
Package Size
Published

Native Access to MacOS FSEvents

Maintainers

bajtosbnoordhuises128pipobscure

Keywords

fseventsmac

Dependencies (2)

PackageConstraintRegistry Status
nan ^2.9.2 auto_approved
node-pre-gyp ^0.10.0 auto_approved

Dev Dependencies (1)

PackageConstraintRegistry Status
tap ~0.4.8 auto_approved

Transitive Dependency Tree

46 transitive deps max depth 6
  ├─ nan ^2.9.2 → 2.26.2
├─ node-pre-gyp ^0.10.0 → 0.10.3
  ├─ detect-libc ^1.0.2
  ├─ mkdirp ^0.5.1 → 0.5.6
  ├─ needle ^2.2.1 → 2.9.1
  ├─ nopt ^4.0.1 → 4.0.3
  ├─ npm-packlist ^1.1.6
  ├─ npmlog ^4.0.2 → 4.1.2
  ├─ rc ^1.2.7 → 1.2.8
  ├─ rimraf ^2.6.1 → 2.7.1
  ├─ semver ^5.3.0 → 5.7.2
├─ tar ^4 → 4.4.19
  ├─ abbrev 1
  ├─ are-we-there-yet ~1.1.2
  ├─ chownr ^1.1.4
  ├─ console-control-strings ~1.1.0 → 1.1.0
  ├─ debug ^3.2.6 → 3.2.7
  ├─ deep-extend ^0.6.0 → 0.6.0
  ├─ fs-minipass ^1.2.7
  ├─ gauge ~2.7.3
  ├─ glob ^7.1.3 → 7.1.7
  ├─ iconv-lite ^0.4.4 → 0.4.24
  ├─ ini ~1.3.0 → 1.3.8
  ├─ minimist ^1.2.6 → 1.2.8
  ├─ minimist ^1.2.0 → 1.2.8
  ├─ minipass ^2.9.0 → 2.9.0
  ├─ minizlib ^1.3.3
  ├─ mkdirp ^0.5.5 → 0.5.6
  ├─ osenv ^0.1.4 → 0.1.5
  ├─ safe-buffer ^5.2.1 → 5.2.1
  ├─ sax ^1.2.4 → 1.6.0
  ├─ set-blocking ~2.0.0 → 2.0.0
  ├─ strip-json-comments ~2.0.1 → 2.0.1
├─ yallist ^3.1.1 → 3.1.1
  ├─ fs.realpath ^1.0.0
  ├─ inflight ^1.0.4
  ├─ inherits 2 → 2.0.4
  ├─ minimatch ^3.0.4 → 3.1.5
  ├─ minimist ^1.2.6 → 1.2.8
  ├─ ms ^2.1.1 → 2.1.3
  ├─ once ^1.3.0 → 1.4.0
  ├─ os-homedir ^1.0.0 → 1.0.2
  ├─ os-tmpdir ^1.0.0 → 1.0.2
  ├─ path-is-absolute ^1.0.0 → 1.0.1
  ├─ safe-buffer ^5.1.2 → 5.2.1
  ├─ safer-buffer >= 2.1.2 < 3 → 2.1.2
├─ yallist ^3.0.0 → 3.1.1
  ├─ brace-expansion ^1.1.7 → 1.1.14
├─ wrappy 1 → 1.0.2
  ├─ balanced-match ^1.0.0 → 1.0.2
  ├─ concat-map 0.0.1 → 0.0.1

Changes from v0.3.8

Dependency Changes

ChangePackageVersion
added node-pre-gyp ^0.10.0
changed nan ^2.0.2 → ^2.9.2

Script Changes

+ prepublish+ node-pre-gyp

File Changes

546 added 4 removed 7 modified size delta: +2405.8 KB

SAST Findings (3)

CRITICAL GHSA-8r6j-v8pm-fqw3: Code injection in fsevents osv

CVSS 9.8 (CRITICAL) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.

CRITICAL MAL-2023-462: Malicious code in fsevents (npm) osv

--- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (acdc3ae57250fab51aeff6e3938ed40197a1b74eb688a72cd5d7eee0c77a7167) This advisory is intended to inform the npm ecosystem with details to resolve a third-party malware incident that may have impacted your infrastructure if you are directly or transitively dependent on the [fsevents](https://www.npmjs.com/package/fsevents) npm package. ## Overview [fsevents](https://www.npmjs.com/package/fsevents) v1.0.0 <= v1.2.10 downloaded binary executables that contained unintended code due to an expired cloud storage resource being reclaimed by a third party. ## Details The [fsevents npm package](https://www.npmjs.com/package/fsevents) v1.0.0 through v1.2.10 attempts to fetch a pre-built binary executable artifact (fse.node) from cloud storage. If this fetch fails, fsevents v1.x will attempt to build this artifact directly from source. Version 1.x of fsevents has been deprecated for several years and as a result the aforementioned cloud storage resource namespace was available for registration. A third party, unrelated to the fsevents maintainers, subsequently claimed this namespace and in April 2023 this third party started serving modified versions of the “fse.node” binary executable artifact to new fsevents v1.x users. As of April 27, 2023 the cloud storage resource in question has been indefinitely suspended and is no longer serving binaries. The affected cloud storage pre-fetch was [removed](https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058) in fsevents version 1.2.11. ## Impact The impact of the modified versions of fse.node appears to be limited to information gathering. Note that initial analysis was performed for the modified artifact associated with fsevents v1.2.9, which was distributed as fse-v1.2.9-node-v72-darwin-x64.tar.gz prior to the cloud storage resource being suspended. For more detailed analysis you may compare a decompilation of the v1.x fse.node artifacts on your systems with the intended fsevents v1.x source as it exists at https://github.com/fsevents/fsevents/tree/v1.x ## How to fix it If you are dependent on the deprecated version of fsevents v1.x, the recommended course of action is to upgrade to fsevents v2.x or remove the dependency altogether as currently maintained versions of Node.js no longer require fsevents for file system watching on macOS.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 110). Findings: 2 critical (+80), 3 medium (+30), 5 info (+0).

Commit: 0effedf587a9 Browse source

Published to npm: