passport @0.2.0
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
40
Risk Score
MIT
License
No
Install Scripts
2
Dependencies
5
Dev Dependencies
11.7 KB
Package Size
Published
Simple, unobtrusive authentication for Node.js.
Maintainers
jaredhanson
Keywords
expressconnectauthauthnauthentication
Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| pause | 0.0.1 | auto_approved |
| passport-strategy | 1.x.x | auto_approved |
Dev Dependencies (5)
| Package | Constraint | Registry Status |
|---|---|---|
| chai | 1.x.x | auto_approved |
| mocha | 1.x.x | auto_approved |
| proxyquire | 0.5.x | auto_approved |
| chai-passport-strategy | 0.2.x | Not imported |
| chai-connect-middleware | 0.3.x | Not imported |
Transitive Dependency Tree
2 transitive deps
max depth 1
├─
passport-strategy
1.x.x
→ 1.0.0
├─
pause
0.0.1
→ 0.0.1
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-v923-w3x8-wh69 |
osv | reject | AI | AI (osv): Advisory affects all passport versions < 0.6.0; fix is available in 0.6.0. This verdict generalizes to all versions in the affected range. |
SAST Findings (2)
MEDIUM
GHSA-v923-w3x8-wh69: Passport vulnerable to session regeneration when a users logs in or out
osv
CVSS 4.8 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 40. Findings: 1 critical (+40), 1 info (+0).
Published to npm: