All taro-css-to-react-native versions

[email protected] rejected Risk: 43 MIT

taro-css-to-react-native @3.6.39

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
43
Risk Score
MIT
License
No
Install Scripts
5
Dependencies
4
Dev Dependencies
21.9 KB
Package Size
Published

Convert CSS text to a React Native stylesheet object

Maintainers

defaultleeyuche

Keywords

ReactReactNativestylesCSS

Dependencies (5)

PackageConstraintRegistry Status
css ^3.0.0 No greenflagged match
camelize ^1.0.0 auto_approved
css-mediaquery ^0.1.2 auto_approved
css-color-keywords ^1.0.0 auto_approved
postcss-value-parser ^3.3.0 auto_approved

Dev Dependencies (4)

PackageConstraintRegistry Status
jest ^29.3.1 auto_approved
jest-cli ^29.3.1 auto_approved
babel-jest ^29.5.0 auto_approved
@babel/core ^7.14.5 auto_approved

Transitive Dependency Tree

5 transitive deps max depth 1
  ├─ camelize ^1.0.0 → 1.0.1
  ├─ css ^3.0.0
  ├─ css-color-keywords ^1.0.0 → 1.0.0
  ├─ css-mediaquery ^0.1.2 → 0.1.2
  ├─ postcss-value-parser ^3.3.0 → 3.3.1

Changes from v4.1.11

Dependency Changes

ChangePackageVersion
changed camelize ^1.0.1 → ^1.0.0
changed postcss-value-parser ^4.2.0 → ^3.3.0

Script Changes

- prod- clean- prebuild

File Changes

0 added 0 removed 24 modified size delta: +2.1 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-f5xg-cfpj-2mw6 osv reject AI AI (osv): ReDoS vulnerability affects all versions < 4.1.2; generalizes to every version in that range including this one.

SAST Findings (2)

MEDIUM GHSA-f5xg-cfpj-2mw6: taro-css-to-react-native Regular Expression Denial of Service vulnerability osv

CVSS 4.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 43. Findings: 1 critical (+40), 1 low (+3).

Published to npm: