median pinned to 0.0.x — pre-release used in production

The dependency block contains:

"median": "^0.0.2",

Under semver, ^0.0.2 is equivalent to 0.0.2 exactly — each patch in 0.0.x is allowed to break API and there is no stability guarantee. The brief calls out 0.0.x in production as a flag-worthy pattern. Additionally, packages stuck at 0.0.x are common targets for namespace takeover and have minimal maintainer scrutiny.

npm view median versions shows the package has never reached a stable 0.x.y, much less 1.0.0; treat any release here as untested for production.

Supply-chain and stability risk: vulnerabilities in 0.0.x packages frequently go unfixed, and the narrow caret range means even legitimate patches will not be picked up automatically. Affects every user of the running server.

The "median": "^0.0.2" entry in package.json matches exactly the pattern the brief flags as risky: a 0.0.x pre-release used in a production dependency block. Per npm semver, ^0.0.2 is effectively pinned to 0.0.2, with no API stability guarantee and a maintainer history that never reached 1.0. The scope explicitly directs us to treat Juice Shop as production code, so the educational nature of the project does not excuse the unstable dependency. The specific code element exists and matches the rule.

The finding is "median": "^0.0.2" in package.json — a stability/supply-chain pattern flag, not a confirmed exploitable vulnerability. No specific CVE, malicious release, or sink is identified in the source shown; the risk is hypothetical (namespace takeover or an unpatched bug landing in a 0.0.x package). Attack Complexity is H because exploitation depends on a prerequisite outside the code (an attacker actually publishing/exploiting a compromised median release, or a latent bug being present). If that prerequisite is met, impact could plausibly reach the running server via npm install, so I score CIA as L across the board to reflect uncertain, bounded impact rather than the H/H/H worst case that would require evidence of an actual malicious or vulnerable version. PR/UI are N and AV is N because once such a release lands, every server user is affected without authentication or interaction.