Version Details and Security Vulnerabilities

📦

prova

1.4.1

Comparision Betweeen 1.4.1 and 1.4.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

prova

1.4.1

Comparision Betweeen 1.4.1 and 1.4.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.4.1 of the package prova.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.4.1 of the package

Summary:

Malicious code in new-command (npm)

Details:

The package new-command was found to contain malicious code.

Details about new-command@0.0.3

Summary:

Malicious code in show-help (npm)

Details:

The package show-help was found to contain malicious code.

Details about show-help@1.0.0

Summary:

Malicious code in first-val (npm)

Details:

The package first-val was found to contain malicious code.

Details about first-val@0.0.0

Summary:

Malicious code in show-version (npm)

Details:

The package show-version was found to contain malicious code.

Details about show-version@1.0.1

Summary:

Prototype Pollution in minimist

Details:

Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.

Recommendation

Upgrade to versions 0.2.1, 1.2.3 or later.

Details about minimist@0.0.10

Summary:

Prototype Pollution in minimist

Details:

Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Details about minimist@0.0.10

Summary:

Malicious code in failing-code (npm)

Details:

The package failing-code was found to contain malicious code.

Details about failing-code@0.0.2

Summary:

Malicious code in failing-line (npm)

Details:

The package failing-line was found to contain malicious code.

Details about failing-line@0.0.7

Summary:

Malicious code in format-text (npm)

Details:

The package format-text was found to contain malicious code.

Details about format-text@0.0.3

Summary:

Malicious code in style-format (npm)

Details:

The package style-format was found to contain malicious code.

Details about style-format@0.0.0

Summary:

Malicious code in ansi-codes (npm)

Details:

The package ansi-codes was found to contain malicious code.

Details about ansi-codes@2.0.0

Summary:

Malicious code in filter-stack (npm)

Details:

The package filter-stack was found to contain malicious code.

Details about filter-stack@0.0.0

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about uglify-js@2.4.24

Summary:

Potential Command Injection in shell-quote

Details:

Affected versions of shell-quote do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments.

Proof of Concept:

The following characters are not escaped properly: >,;,{,}

Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of {} and using the , instead of to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible.

   const quote = require('shell-quote').quote;
   console.log(quote(['a;{echo,test,123,234}']));
   // Actual                    "a;{echo,test,123,234}"
   // Expected                  "a\;\{echo,test,123,234\}"
   // Functional Equivalent     "a; echo 'test' '123' '1234'"

Recommendation

Update to version 1.6.1 or later.

Details about shell-quote@0.0.1

Summary:

Potential for Script Injection in syntax-error

Details:

Versions of syntax-error prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified.

Recommendation

Update to version 1.1.1 or later.

Details about syntax-error@0.1.0

Summary:

Malicious code in local-debug (npm)

Details:

The package local-debug was found to contain malicious code.

Details about local-debug@0.0.0

Summary:

path-to-regexp outputs backtracking regular expressions

Details:

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.

Details

Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.

Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.

References

Details about path-to-regexp@0.0.2

Summary:

path-to-regexp contains a ReDoS

Details:

Impact

The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

https://github.com/advisories/GHSA-9wv6-86v2-598j
https://blakeembrey.com/posts/2024-09-web-redos/

Details about path-to-regexp@0.0.2

Summary:

Malicious code in default-debug (npm)

Details:

The package default-debug was found to contain malicious code.

Details about default-debug@0.0.0

Summary:

Malicious code in stream-format (npm)

Details:

The package stream-format was found to contain malicious code.

Details about stream-format@0.0.3

Summary:

Malicious code in new-format (npm)

Details:

The package new-format was found to contain malicious code.

Details about new-format@0.0.1

Summary:

Malicious code in pause-function (npm)

Details:

The package pause-function was found to contain malicious code.

Details about pause-function@0.0.1

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@0.2.14

Summary:

minimatch ReDoS vulnerability

Details:

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Details about minimatch@0.2.14

Summary:

Malicious code in style-dom (npm)

Details:

The package style-dom was found to contain malicious code.

Details about style-dom@0.0.0

Summary:

Malicious code in prettify-error (npm)

Details:

The package prettify-error was found to contain malicious code.

Details about prettify-error@0.0.4

Summary:

Malicious code in bind-key (npm)

Details:

The package bind-key was found to contain malicious code.

Details about bind-key@0.0.0

Summary:

Malicious code in run-serially (npm)

Details:

The package run-serially was found to contain malicious code.

Details about run-serially@0.0.0

Summary:

Malicious code in just-next-tick (npm)

Details:

The package just-next-tick was found to contain malicious code.

Details about just-next-tick@0.0.0

Summary:

Malicious code in flat-glob (npm)

Details:

The package flat-glob was found to contain malicious code.

Details about flat-glob@0.0.1

Summary:

Malicious code in uniques (npm)

Details:

The package uniques was found to contain malicious code.

Details about uniques@0.0.1

Summary:

Prototype Pollution in merge

Details:

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

Recommendation

Update to version 1.2.1 or later.

Details about merge@1.0.0

Summary:

Prototype Pollution in merge

Details:

All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

Details about merge@1.0.0

Summary:

Prototype pollution in Plist before 3.0.5 can cause denial of service

Details:

Prototype pollution vulnerability via .parse() in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

Details about plist@0.2.1

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.4.1 of the package prova.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.4.1 of the package

Summary:

Malicious code in new-command (npm)

Details:

The package new-command was found to contain malicious code.

Details about new-command@0.0.3

Summary:

Malicious code in show-help (npm)

Details:

The package show-help was found to contain malicious code.

Details about show-help@1.0.0

Summary:

Malicious code in first-val (npm)

Details:

The package first-val was found to contain malicious code.

Details about first-val@0.0.0

Summary:

Malicious code in show-version (npm)

Details:

The package show-version was found to contain malicious code.

Details about show-version@1.0.1

Summary:

Prototype Pollution in minimist

Details:

Recommendation

Upgrade to versions 0.2.1, 1.2.3 or later.

Details about minimist@0.0.10

Summary:

Prototype Pollution in minimist

Details:

Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Details about minimist@0.0.10

Summary:

Malicious code in failing-code (npm)

Details:

The package failing-code was found to contain malicious code.

Details about failing-code@0.0.2

Summary:

Malicious code in failing-line (npm)

Details:

The package failing-line was found to contain malicious code.

Details about failing-line@0.0.7

Summary:

Malicious code in format-text (npm)

Details:

The package format-text was found to contain malicious code.

Details about format-text@0.0.3

Summary:

Malicious code in style-format (npm)

Details:

The package style-format was found to contain malicious code.

Details about style-format@0.0.0

Summary:

Malicious code in ansi-codes (npm)

Details:

The package ansi-codes was found to contain malicious code.

Details about ansi-codes@2.0.0

Summary:

Malicious code in filter-stack (npm)

Details:

The package filter-stack was found to contain malicious code.

Details about filter-stack@0.0.0

Summary:

Regular Expression Denial of Service in uglify-js

Details:

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real	0m1.091s
user	0m1.047s
sys	0m0.039s

$ time node test.js 80000
real	0m6.486s
user	0m6.229s
sys	0m0.094s

Recommendation

Update to version 2.6.0 or later.

Details about uglify-js@2.4.24

Summary:

Potential Command Injection in shell-quote

Details:

Proof of Concept:

The following characters are not escaped properly: >,;,{,}

   const quote = require('shell-quote').quote;
   console.log(quote(['a;{echo,test,123,234}']));
   // Actual                    "a;{echo,test,123,234}"
   // Expected                  "a\;\{echo,test,123,234\}"
   // Functional Equivalent     "a; echo 'test' '123' '1234'"

Recommendation

Update to version 1.6.1 or later.

Details about shell-quote@0.0.1

Summary:

Potential for Script Injection in syntax-error

Details:

Versions of syntax-error prior to 1.1.1 are affected by a cross-site scripting vulnerability which may allow a malicious file to execute code when browserified.

Recommendation

Update to version 1.1.1 or later.

Details about syntax-error@0.1.0

Summary:

Malicious code in local-debug (npm)

Details:

The package local-debug was found to contain malicious code.

Details about local-debug@0.0.0

Summary:

path-to-regexp outputs backtracking regular expressions

Details:

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

Workarounds

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.

Details

References

Details about path-to-regexp@0.0.2

Summary:

path-to-regexp contains a ReDoS

Details:

Impact

The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

References

https://github.com/advisories/GHSA-9wv6-86v2-598j
https://blakeembrey.com/posts/2024-09-web-redos/

Details about path-to-regexp@0.0.2

Summary:

Malicious code in default-debug (npm)

Details:

The package default-debug was found to contain malicious code.

Details about default-debug@0.0.0

Summary:

Malicious code in stream-format (npm)

Details:

The package stream-format was found to contain malicious code.

Details about stream-format@0.0.3

Summary:

Malicious code in new-format (npm)

Details:

The package new-format was found to contain malicious code.

Details about new-format@0.0.1

Summary:

Malicious code in pause-function (npm)

Details:

The package pause-function was found to contain malicious code.

Details about pause-function@0.0.1

Summary:

Regular Expression Denial of Service in minimatch

Details:

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

Details about minimatch@0.2.14

Summary:

minimatch ReDoS vulnerability

Details:

Details about minimatch@0.2.14

Summary:

Malicious code in style-dom (npm)

Details:

The package style-dom was found to contain malicious code.

Details about style-dom@0.0.0

Summary:

Malicious code in prettify-error (npm)

Details:

The package prettify-error was found to contain malicious code.

Details about prettify-error@0.0.4

Summary:

Malicious code in bind-key (npm)

Details:

The package bind-key was found to contain malicious code.

Details about bind-key@0.0.0

Summary:

Malicious code in run-serially (npm)

Details:

The package run-serially was found to contain malicious code.

Details about run-serially@0.0.0

Summary:

Malicious code in just-next-tick (npm)

Details:

The package just-next-tick was found to contain malicious code.

Details about just-next-tick@0.0.0

Summary:

Malicious code in flat-glob (npm)

Details:

The package flat-glob was found to contain malicious code.

Details about flat-glob@0.0.1

Summary:

Malicious code in uniques (npm)

Details:

The package uniques was found to contain malicious code.

Details about uniques@0.0.1

Summary:

Prototype Pollution in merge

Details:

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

Recommendation

Update to version 1.2.1 or later.

Details about merge@1.0.0

Summary:

Prototype Pollution in merge

Details:

All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .

Details about merge@1.0.0

Summary:

Prototype pollution in Plist before 3.0.5 can cause denial of service

Details:

Prototype pollution vulnerability via .parse() in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

Details about plist@0.2.1

Version Details and Security Vulnerabilities

prova

Comparision Betweeen 1.4.1 and 1.4.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

prova

Comparision Betweeen 1.4.1 and 1.4.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

new-command@0.0.3 MAL-2025-27359 N/A

show-help@1.0.0 MAL-2025-33162 N/A

first-val@0.0.0 MAL-2025-20604 N/A

show-version@1.0.1 MAL-2025-33163 N/A

minimist@0.0.10 GHSA-vh95-rmgr-6w4m 5.6

Recommendation

minimist@0.0.10 GHSA-xvch-5gv4-984h 9.8

failing-code@0.0.2 MAL-2025-20162 N/A

failing-line@0.0.7 MAL-2025-20163 N/A

format-text@0.0.3 MAL-2025-20789 N/A

style-format@0.0.0 MAL-2025-34115 N/A

ansi-codes@2.0.0 MAL-2025-14554 N/A

filter-stack@0.0.0 MAL-2025-20557 N/A

uglify-js@2.4.24 GHSA-c9f4-xj24-8jqx 7.5

Proof of Concept

Results

Recommendation

shell-quote@0.0.1 GHSA-qg8p-v9q4-gh34 9.8

Proof of Concept:

Recommendation

syntax-error@0.1.0 GHSA-5726-g6r9-5f22 N/A

Recommendation

local-debug@0.0.0 MAL-2025-25478 N/A

path-to-regexp@0.0.2 GHSA-9wv6-86v2-598j 7.7

Impact

Patches

Workarounds

Details

References

path-to-regexp@0.0.2 GHSA-rhx6-c78j-4q9w 7.7

Impact

Patches

Workarounds

References

default-debug@0.0.0 MAL-2025-18178 N/A

stream-format@0.0.3 MAL-2025-34079 N/A

new-format@0.0.1 MAL-2025-27361 N/A

pause-function@0.0.1 MAL-2025-28923 N/A

minimatch@0.2.14 GHSA-hxm2-r34f-qmc5 7.5

Proof of Concept

Recommendation

minimatch@0.2.14 GHSA-f8q6-p94x-37v3 7.5

style-dom@0.0.0 MAL-2025-34114 N/A

prettify-error@0.0.4 MAL-2025-29635 N/A

bind-key@0.0.0 MAL-2025-15691 N/A

run-serially@0.0.0 MAL-2025-32565 N/A

just-next-tick@0.0.0 MAL-2025-24119 N/A

flat-glob@0.0.1 MAL-2025-20688 N/A

uniques@0.0.1 MAL-2025-37826 N/A

merge@1.0.0 GHSA-f9cm-qmx5-m98h 7.5

Recommendation

merge@1.0.0 GHSA-7wpw-2hjm-89gp 7.3

plist@0.2.1 GHSA-4cpg-3vgw-4877 9.8

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

new-command@0.0.3 MAL-2025-27359 N/A

show-help@1.0.0 MAL-2025-33162 N/A

first-val@0.0.0 MAL-2025-20604 N/A

show-version@1.0.1 MAL-2025-33163 N/A

minimist@0.0.10 GHSA-vh95-rmgr-6w4m 5.6

Recommendation

minimist@0.0.10 GHSA-xvch-5gv4-984h 9.8

failing-code@0.0.2 MAL-2025-20162 N/A

failing-line@0.0.7 MAL-2025-20163 N/A