@cyberhub/trust-axios 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +34 -7
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -1,25 +1,29 @@
|
|
|
1
1
|
# Security Trust Report: axios
|
|
2
2
|
|
|
3
|
-
**Score:
|
|
3
|
+
**Score: 62/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
|
|
4
4
|
|
|
5
|
-
>
|
|
5
|
+
> ⚠️ Notable risk factors. Review flags and actions below.
|
|
6
6
|
|
|
7
7
|
## Score Breakdown
|
|
8
8
|
|
|
9
9
|
| Category | Score |
|
|
10
10
|
|----------|-------|
|
|
11
11
|
| Maintainer Trust | 80/100 |
|
|
12
|
-
| Package Health |
|
|
13
|
-
| Supply Chain |
|
|
12
|
+
| Package Health | 89/100 |
|
|
13
|
+
| Supply Chain | 19/100 |
|
|
14
14
|
| Community | 48/100 |
|
|
15
15
|
|
|
16
16
|
## Vulnerabilities
|
|
17
17
|
|
|
18
|
-
|
|
18
|
+
**1 vulnerabilities** (Critical: 1, High: 0, Medium: 0)
|
|
19
|
+
|
|
20
|
+
- [CVE-2023-45857](https://nvd.nist.gov/vuln/detail/CVE-2023-45857)
|
|
21
|
+
- [CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)
|
|
19
22
|
|
|
20
23
|
## Flags
|
|
21
24
|
|
|
22
25
|
- **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
|
|
26
|
+
- **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
|
|
23
27
|
- **HIGH**: 1 direct dependencies have known security issues
|
|
24
28
|
- **HIGH**: Depends on "follow-redirects" which has SSRF CVE-2024-28849
|
|
25
29
|
- **MEDIUM**: New maintainer(s) added in v0.11.0: nickuraltsev
|
|
@@ -29,10 +33,33 @@ No known vulnerabilities.
|
|
|
29
33
|
- **MEDIUM**: No GitHub repo found — community signals unavailable
|
|
30
34
|
- **INFO**: Published with 2FA enabled (signed)
|
|
31
35
|
- **INFO**: Package has provenance signatures
|
|
36
|
+
- **INFO**: Has test framework dependency
|
|
37
|
+
|
|
38
|
+
## 🛠️ What Should You Do?
|
|
39
|
+
|
|
40
|
+
**Immediate actions:**
|
|
41
|
+
- ⛔ RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
|
|
42
|
+
- ⛔ 1 CRITICAL vulnerability(ies) from live CVE databases
|
|
43
|
+
|
|
44
|
+
**Review:**
|
|
45
|
+
- 🟠 1 direct dependencies have known security issues
|
|
46
|
+
- 🟠 Depends on "follow-redirects" which has SSRF CVE-2024-28849
|
|
47
|
+
|
|
48
|
+
**Pin your version** and monitor for changes.
|
|
49
|
+
|
|
50
|
+
## 🔄 Alternatives
|
|
51
|
+
|
|
52
|
+
| Package | Why |
|
|
53
|
+
|---------|-----|
|
|
54
|
+
| [got](https://nrupak.com/trust/got) | No known breaches, better error handling |
|
|
55
|
+
| [node-fetch](https://nrupak.com/trust/node-fetch) | Lightweight, fewer dependencies |
|
|
56
|
+
| [undici](https://nrupak.com/trust/undici) | Node.js built-in HTTP client (Node 18+) |
|
|
32
57
|
|
|
33
58
|
## Maintainers
|
|
34
59
|
|
|
35
|
-
- jasonsaayman
|
|
60
|
+
- jasonsaayman ✅ 2FA
|
|
61
|
+
|
|
62
|
+
**Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
|
|
36
63
|
|
|
37
64
|
---
|
|
38
|
-
*[pkgtrust](https://nrupak.com/trust/axios) | [
|
|
65
|
+
*[pkgtrust](https://nrupak.com/trust/axios) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust) | Updated 2026-04-02*
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@cyberhub/trust-axios",
|
|
3
|
-
"version": "1.0.
|
|
4
|
-
"description": "Security Trust Report for axios —
|
|
3
|
+
"version": "1.0.1",
|
|
4
|
+
"description": "Security Trust Report for axios — 62/100 (C+, standard). 8 security databases.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"axios",
|
|
7
7
|
"security",
|