@cyberhub/trust-axios 1.0.0 → 1.0.2

package/README.md

@@ -1,38 +1,103 @@
 # Security Trust Report: axios
 
-**Score: 70/100 | Grade: B | Tier: STANDARD**
+**axios@1.14.0: 62/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
 
-> This package has notable risk factors. Review flags below.
+> Data verified on 2026-04-02 from 8 security databases.
+
+## TL;DR
+
+- **1 vulnerability found** (1 critical, 0 high)
+- Consider switching to **got** (No known breaches, better error handling)
+- Pin your version and monitor for changes
+
+## ⚠️ Security Incident Background
+
+CVE-2023-45857: CSRF token theft via cookie exposure. CVE-2024-28849: SSRF vulnerability via follow-redirects dependency allowing proxy-authorization header leak. The North Korea-linked Lazarus Group targeted axios in typosquatting campaigns.
 
 ## Score Breakdown
 
-| Category | Score |
+```
+Maintainer Trust:  ████████████████░░░░ 80/100
+Package Health:    ██████████████████░░ 89/100
+Supply Chain:      ████░░░░░░░░░░░░░░░░ 19/100
+Community:         ██████████░░░░░░░░░░ 48/100
+```
+
+### Why this score?
+
+- Supply Chain is 19 because: 1 known CVEs, in breach database, risky dependencies
+- Community is 48 because: no GitHub repo found
+
+## Vulnerabilities (1 vulnerability)
+
+| Severity | Count |
 |----------|-------|
-| Maintainer Trust | 80/100 |
-| Package Health | 97/100 |
-| Supply Chain | 44/100 |
-| Community | 48/100 |
+| 🔴 Critical | 1 |
+
+- [CVE-2023-45857](https://nvd.nist.gov/vuln/detail/CVE-2023-45857)
+- [CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)
+
+## Key Risk Flags
+
+- 🔴 **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
+- 🔴 **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
+- 🟠 **HIGH**: 1 direct dependencies have known security issues
+- 🟠 **HIGH**: Depends on "follow-redirects" which has SSRF CVE-2024-28849
+
+## 🛠️ What Should You Do?
 
-## Vulnerabilities
+**Immediate:**
+- Upgrade to the latest version (`npm update axios`)
+- Review the security incident details above
+- Consider replacing with [got](https://nrupak.com/trust/got)
 
-No known vulnerabilities.
+**Always:**
+- Pin exact version: `"axios": "1.14.0"`
+- Run `pkgtrust scan` in your CI pipeline
+- Monitor: [nrupak.com/trust/axios](https://nrupak.com/trust/axios)
 
-## Flags
+## 🔄 Safer Alternatives
 
-- **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
-- **HIGH**: 1 direct dependencies have known security issues
-- **HIGH**: Depends on "follow-redirects" which has SSRF CVE-2024-28849
-- **MEDIUM**: New maintainer(s) added in v0.11.0: nickuraltsev
-- **MEDIUM**: New maintainer(s) added in v0.20.0: emilyemorehouse
-- **MEDIUM**: New maintainer(s) added in v0.21.2: jasonsaayman
-- **MEDIUM**: Single maintainer — bus factor risk
-- **MEDIUM**: No GitHub repo found — community signals unavailable
-- **INFO**: Published with 2FA enabled (signed)
-- **INFO**: Package has provenance signatures
+| Package | Why | Trust Report |
+|---------|-----|-------------|
+| **got** | No known breaches, better error handling | [View score](https://nrupak.com/trust/got) |
+| **node-fetch** | Lightweight, fewer dependencies | [View score](https://nrupak.com/trust/node-fetch) |
+| **undici** | Node.js built-in HTTP client (Node 18+) | [View score](https://nrupak.com/trust/undici) |
 
 ## Maintainers
 
-- jasonsaayman (2FA)
+- **jasonsaayman** ✅ 2FA enabled (org email)
+
+## Methodology
+
+This score is computed from **18+ signals** across **4 categories**:
+- **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
+- **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
+- **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
+- **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
+
+[Full scoring methodology →](https://nrupak.com/trust)
+
+## Check Your Project
+
+```bash
+# Install pkgtrust
+npm install -g @cyberhub/pkgtrust
+
+# Scan a specific package
+pkgtrust scan axios
+
+# Scan all your dependencies
+pkgtrust scan
+
+# Compare alternatives
+pkgtrust compare axios got node-fetch
+```
+
+**Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
 
 ---
-*[pkgtrust](https://nrupak.com/trust/axios) | [Dashboard](https://nrupak.com/trust) | Updated 2026-04-02*
+
+*Report by [pkgtrust](https://nrupak.com/trust/axios) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
+
+*This is an automated security report. Not affiliated with the axios team. Updated 2026-04-02.*

package/package.json

@@ -1,17 +1,31 @@
 {
   "name": "@cyberhub/trust-axios",
-  "version": "1.0.0",
-  "description": "Security Trust Report for axios — 70/100 (B, standard). Maintainer risk and vulnerability analysis from 8 security databases.",
+  "version": "1.0.2",
+  "description": "Security Trust Report: axios@1.14.0 — 62/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
   "keywords": [
+    "axios",
     "axios",
     "security",
+    "security-report",
     "trust-score",
     "vulnerability",
+    "npm-audit",
+    "npm-security",
+    "supply-chain",
     "pkgtrust",
-    "CVE"
+    "audit",
+    "scan",
+    "risk",
+    "risk-assessment",
+    "CVE-2023-45857",
+    "CVE-2024-28849",
+    "got",
+    "node-fetch",
+    "undici",
+    "standard"
   ],
   "license": "MIT",
-  "author": "Nrupak Shah",
+  "author": "Nrupak Shah <nrupaks@gmail.com>",
   "repository": {
     "type": "git",
     "url": "https://github.com/nrupaks/pkgtrust"