nodemon @3.1.5
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
100
Risk Score
MIT
License
No
Install Scripts
10
Dependencies
11
Dev Dependencies
62.0 KB
Package Size
Published
Simple monitor script for use during development of a Node.js app.
Maintainers
remy
Keywords
climonitormonitordevelopmentrestartautoloadreloadterminal
Dependencies (10)
| Package | Constraint | Registry Status |
|---|---|---|
| debug | ^4 | auto_approved |
| touch | ^3.1.0 | auto_approved |
| semver | ^7.5.3 | auto_approved |
| chokidar | ^3.5.2 | auto_approved |
| minimatch | ^3.1.2 | auto_approved |
| undefsafe | ^2.0.5 | auto_approved |
| pstree.remy | ^1.1.8 | auto_approved |
| supports-color | ^5.5.0 | auto_approved |
| ignore-by-default | ^1.0.1 | auto_approved |
| simple-update-notifier | ^2.0.0 | auto_approved |
Dev Dependencies (11)
| Package | Constraint | Registry Status |
|---|---|---|
| nyc | ^15.1.0 | auto_approved |
| async | 1.4.2 | auto_approved |
| husky | ^7.0.4 | auto_approved |
| mocha | ^2.5.3 | auto_approved |
| eslint | ^7.32.0 | auto_approved |
| should | ~4.0.0 | auto_approved |
| proxyquire | ^1.8.0 | auto_approved |
| coffee-script | ~1.7.1 | auto_approved |
| @commitlint/cli | ^11.0.0 | auto_approved |
| semantic-release | ^18.0.0 | auto_approved |
| @commitlint/config-conventional | ^11.0.0 | auto_approved |
Transitive Dependency Tree
28 transitive deps
max depth 5
├─
chokidar
^3.5.2
→ 3.6.0
├─
debug
^4
→ 4.4.3
├─
ignore-by-default
^1.0.1
├─
minimatch
^3.1.2
→ 3.1.5
├─
pstree.remy
^1.1.8
→ 1.1.8
├─
semver
^7.5.3
→ 7.8.0
├─
simple-update-notifier
^2.0.0
→ 2.0.0
├─
supports-color
^5.5.0
→ 5.5.0
├─
touch
^3.1.0
→ 3.1.1
├─
undefsafe
^2.0.5
→ 2.0.5
├─
anymatch
~3.1.2
→ 3.1.3
├─
brace-expansion
^1.1.7
→ 1.1.14
├─
braces
~3.0.2
→ 3.0.3
├─
glob-parent
~5.1.2
→ 5.1.2
├─
has-flag
^3.0.0
→ 3.0.0
├─
is-binary-path
~2.1.0
→ 2.1.0
├─
is-glob
~4.0.1
→ 4.0.3
├─
ms
^2.1.3
→ 2.1.3
├─
normalize-path
~3.0.0
→ 3.0.0
├─
readdirp
~3.6.0
→ 3.6.0
├─
semver
^7.5.3
→ 7.8.0
├─
balanced-match
^1.0.0
→ 1.0.2
├─
binary-extensions
^2.0.0
├─
concat-map
0.0.1
→ 0.0.1
├─
fill-range
^7.1.1
→ 7.1.1
├─
is-extglob
^2.1.1
→ 2.1.1
├─
is-glob
^4.0.1
→ 4.0.3
├─
normalize-path
^3.0.0
→ 3.0.0
├─
picomatch
^2.0.4
→ 2.3.2
├─
picomatch
^2.2.1
→ 2.3.2
├─
is-extglob
^2.1.1
→ 2.1.1
├─
to-regex-range
^5.0.1
→ 5.0.1
├─
is-number
^7.0.0
→ 7.0.0
Changes from v2.0.7
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | simple-update-notifier | ^2.0.0 |
| removed | update-notifier | ^4.1.0 |
| changed | debug | ^3.2.6 → ^4 |
| changed | semver | ^5.7.1 → ^7.5.3 |
| changed | chokidar | ^3.2.2 → ^3.5.2 |
| changed | minimatch | ^3.0.4 → ^3.1.2 |
| changed | undefsafe | ^2.0.3 → ^2.0.5 |
| changed | pstree.remy | ^1.1.7 → ^1.1.8 |
Script Changes
- :spec- postinstallFile Changes
4 added
5 removed
11 modified
size delta: +113.6 KB
Risk Dispositions (1 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
bundled-binaries |
npm-metadata | reject | AI | AI (npm-metadata): Bundled Windows executable in a counterfeit package is a high-risk backdoor signal. Generalizes across all versions of this impersonator. |
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
bogus-package |
bogus-package | reject | AI | AI (bogus-package): Inflated semver on a brand-new single-version package impersonating the well-known nodemon tool. This signal generalizes across all versions of this counterfeit package. |
SAST Findings (2)
CRITICAL
Bundled binary files (1)
npm-metadata
[Always reject] Package contains compiled binaries that could be backdoors: • bin/windows-kill.exe
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 100 (capped from 106). Findings: 1 critical (+40), 6 medium (+60), 2 low (+6).
Commit: 254c2ab17877 Browse source
Published to npm: