Get tags from a remote git repo. Using only JS. No git binary required.
by sindresorhusJavaScript
Last 12 weeks · 0 commits
4 of 6 standards met
Hi, we are a security team. We found a prototype pollution vulnerability in your project. The issue affects . The vulnerable behavior happens when tag names from an attacker-controlled remote repository are used as dynamic property keys while building the result object. If the remote repository contains a tag named , prototype pollution may occur. Impact An attacker controlling the remote repository may be able to change the prototype of the returned object in the affected runtime. Proof of concept Details We confirmed the following case: sink: The root cause is that untrusted tag names can flow into dynamic property writes without blocking special prototype-related keys.
Repository: sindresorhus/remote-git-tags. Description: Get tags from a remote git repo. Using only JS. No git binary required. Stars: 52, Forks: 9. Primary language: JavaScript. Languages: JavaScript (100%). License: MIT. Latest release: v4.0.0 (4y ago). Open PRs: 0, open issues: 0. Last activity: 3y ago. Community health: 85%. Top contributors: sindresorhus, Richienb.