@cyberhub/trust-axios 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +79 -41
  2. package/package.json +18 -4
package/README.md CHANGED
@@ -1,65 +1,103 @@
1
1
  # Security Trust Report: axios
2
2
 
3
- **Score: 62/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
3
+ **axios@1.14.0: 62/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
4
4
 
5
- > ⚠️ Notable risk factors. Review flags and actions below.
5
+ > Data verified on 2026-04-02 from 8 security databases.
6
+
7
+ ## TL;DR
8
+
9
+ - **1 vulnerability found** (1 critical, 0 high)
10
+ - Consider switching to **got** (No known breaches, better error handling)
11
+ - Pin your version and monitor for changes
12
+
13
+ ## ⚠️ Security Incident Background
14
+
15
+ CVE-2023-45857: CSRF token theft via cookie exposure. CVE-2024-28849: SSRF vulnerability via follow-redirects dependency allowing proxy-authorization header leak. The North Korea-linked Lazarus Group targeted axios in typosquatting campaigns.
6
16
 
7
17
  ## Score Breakdown
8
18
 
9
- | Category | Score |
10
- |----------|-------|
11
- | Maintainer Trust | 80/100 |
12
- | Package Health | 89/100 |
13
- | Supply Chain | 19/100 |
14
- | Community | 48/100 |
19
+ ```
20
+ Maintainer Trust: ████████████████░░░░ 80/100
21
+ Package Health: ██████████████████░░ 89/100
22
+ Supply Chain: ████░░░░░░░░░░░░░░░░ 19/100
23
+ Community: ██████████░░░░░░░░░░ 48/100
24
+ ```
15
25
 
16
- ## Vulnerabilities
26
+ ### Why this score?
17
27
 
18
- **1 vulnerabilities** (Critical: 1, High: 0, Medium: 0)
28
+ - Supply Chain is 19 because: 1 known CVEs, in breach database, risky dependencies
29
+ - Community is 48 because: no GitHub repo found
30
+
31
+ ## Vulnerabilities (1 vulnerability)
32
+
33
+ | Severity | Count |
34
+ |----------|-------|
35
+ | 🔴 Critical | 1 |
19
36
 
20
37
  - [CVE-2023-45857](https://nvd.nist.gov/vuln/detail/CVE-2023-45857)
21
38
  - [CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)
22
39
 
23
- ## Flags
24
-
25
- - **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
26
- - **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
27
- - **HIGH**: 1 direct dependencies have known security issues
28
- - **HIGH**: Depends on "follow-redirects" which has SSRF CVE-2024-28849
29
- - **MEDIUM**: New maintainer(s) added in v0.11.0: nickuraltsev
30
- - **MEDIUM**: New maintainer(s) added in v0.20.0: emilyemorehouse
31
- - **MEDIUM**: New maintainer(s) added in v0.21.2: jasonsaayman
32
- - **MEDIUM**: Single maintainer — bus factor risk
33
- - **MEDIUM**: No GitHub repo found — community signals unavailable
34
- - **INFO**: Published with 2FA enabled (signed)
35
- - **INFO**: Package has provenance signatures
36
- - **INFO**: Has test framework dependency
40
+ ## Key Risk Flags
37
41
 
38
- ## 🛠️ What Should You Do?
42
+ - 🔴 **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
43
+ - 🔴 **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
44
+ - 🟠 **HIGH**: 1 direct dependencies have known security issues
45
+ - 🟠 **HIGH**: Depends on "follow-redirects" which has SSRF CVE-2024-28849
39
46
 
40
- **Immediate actions:**
41
- - ⛔ RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
42
- - ⛔ 1 CRITICAL vulnerability(ies) from live CVE databases
47
+ ## 🛠️ What Should You Do?
43
48
 
44
- **Review:**
45
- - 🟠 1 direct dependencies have known security issues
46
- - 🟠 Depends on "follow-redirects" which has SSRF CVE-2024-28849
49
+ **Immediate:**
50
+ - Upgrade to the latest version (`npm update axios`)
51
+ - Review the security incident details above
52
+ - Consider replacing with [got](https://nrupak.com/trust/got)
47
53
 
48
- **Pin your version** and monitor for changes.
54
+ **Always:**
55
+ - Pin exact version: `"axios": "1.14.0"`
56
+ - Run `pkgtrust scan` in your CI pipeline
57
+ - Monitor: [nrupak.com/trust/axios](https://nrupak.com/trust/axios)
49
58
 
50
- ## 🔄 Alternatives
59
+ ## 🔄 Safer Alternatives
51
60
 
52
- | Package | Why |
53
- |---------|-----|
54
- | [got](https://nrupak.com/trust/got) | No known breaches, better error handling |
55
- | [node-fetch](https://nrupak.com/trust/node-fetch) | Lightweight, fewer dependencies |
56
- | [undici](https://nrupak.com/trust/undici) | Node.js built-in HTTP client (Node 18+) |
61
+ | Package | Why | Trust Report |
62
+ |---------|-----|-------------|
63
+ | **got** | No known breaches, better error handling | [View score](https://nrupak.com/trust/got) |
64
+ | **node-fetch** | Lightweight, fewer dependencies | [View score](https://nrupak.com/trust/node-fetch) |
65
+ | **undici** | Node.js built-in HTTP client (Node 18+) | [View score](https://nrupak.com/trust/undici) |
57
66
 
58
67
  ## Maintainers
59
68
 
60
- - jasonsaayman ✅ 2FA
69
+ - **jasonsaayman** ✅ 2FA enabled (org email)
61
70
 
62
- **Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
71
+ ## Methodology
72
+
73
+ This score is computed from **18+ signals** across **4 categories**:
74
+ - **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
75
+ - **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
76
+ - **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
77
+ - **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
78
+
79
+ [Full scoring methodology →](https://nrupak.com/trust)
80
+
81
+ ## Check Your Project
82
+
83
+ ```bash
84
+ # Install pkgtrust
85
+ npm install -g @cyberhub/pkgtrust
86
+
87
+ # Scan a specific package
88
+ pkgtrust scan axios
89
+
90
+ # Scan all your dependencies
91
+ pkgtrust scan
92
+
93
+ # Compare alternatives
94
+ pkgtrust compare axios got node-fetch
95
+ ```
96
+
97
+ **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
63
98
 
64
99
  ---
65
- *[pkgtrust](https://nrupak.com/trust/axios) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust) | Updated 2026-04-02*
100
+
101
+ *Report by [pkgtrust](https://nrupak.com/trust/axios) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
102
+
103
+ *This is an automated security report. Not affiliated with the axios team. Updated 2026-04-02.*
package/package.json CHANGED
@@ -1,17 +1,31 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-axios",
3
- "version": "1.0.1",
4
- "description": "Security Trust Report for axios — 62/100 (C+, standard). 8 security databases.",
3
+ "version": "1.0.2",
4
+ "description": "Security Trust Report: axios@1.14.0 — 62/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
+ "axios",
6
7
  "axios",
7
8
  "security",
9
+ "security-report",
8
10
  "trust-score",
9
11
  "vulnerability",
12
+ "npm-audit",
13
+ "npm-security",
14
+ "supply-chain",
10
15
  "pkgtrust",
11
- "CVE"
16
+ "audit",
17
+ "scan",
18
+ "risk",
19
+ "risk-assessment",
20
+ "CVE-2023-45857",
21
+ "CVE-2024-28849",
22
+ "got",
23
+ "node-fetch",
24
+ "undici",
25
+ "standard"
12
26
  ],
13
27
  "license": "MIT",
14
- "author": "Nrupak Shah",
28
+ "author": "Nrupak Shah <nrupaks@gmail.com>",
15
29
  "repository": {
16
30
  "type": "git",
17
31
  "url": "https://github.com/nrupaks/pkgtrust"