{
  "repository": "https://github.com/haraka/email-message",
  "commit_source": "git_rev_parse",
  "commit_sha": "2378d699ee68a7e55bbfedbedc9f1effb5a06c21",
  "submitted_target": {
    "target_kind": "npm_package",
    "version": "1.2.0",
    "display": "haraka-email-message@1.2.0 (vulnerable baseline)"
  },
  "variant_target": {
    "target_kind": "npm_package",
    "version": "1.3.2",
    "commit_sha": "2378d699ee68a7e55bbfedbedc9f1effb5a06c21",
    "display": "haraka-email-message@1.3.2 (fixed version with bypass tests)"
  },
  "notes": "Fixed version v1.3.2 was obtained via npm install. The corresponding git commit 2378d69 (tag v1.3.2) contains the fix in lib/header.js with Object.create(null) and explicit guards for __proto__, constructor, and prototype keys."
}