@cyberhub/trust-axios 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +52 -41
  2. package/package.json +18 -4
package/README.md CHANGED
@@ -1,65 +1,76 @@
1
1
  # Security Trust Report: axios
2
2
 
3
- **Score: 62/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
3
+ **axios@1.14.0: 62/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
4
4
 
5
- > ⚠️ Notable risk factors. Review flags and actions below.
5
+ > Data verified on 2026-04-02 from 8 security databases.
6
+
7
+ ## TL;DR
8
+
9
+ - **1 vulnerability found** (1 critical, 0 high)
10
+ - Consider switching to **got** (No known breaches, better error handling)
11
+ - Pin your version and monitor for changes
12
+
13
+ ## ⚠️ Security Incident Background
14
+
15
+ CVE-2023-45857: CSRF token theft via cookie exposure. CVE-2024-28849: SSRF vulnerability via follow-redirects dependency allowing proxy-authorization header leak. The North Korea-linked Lazarus Group targeted axios in typosquatting campaigns.
6
16
 
7
17
  ## Score Breakdown
8
18
 
9
- | Category | Score |
10
- |----------|-------|
11
- | Maintainer Trust | 80/100 |
12
- | Package Health | 89/100 |
13
- | Supply Chain | 19/100 |
14
- | Community | 48/100 |
19
+ ```
20
+ Maintainer Trust: ████████████████░░░░ 80/100
21
+ Package Health: ██████████████████░░ 89/100
22
+ Supply Chain: ████░░░░░░░░░░░░░░░░ 19/100
23
+ Community: ██████████░░░░░░░░░░ 48/100
24
+ ```
25
+
26
+ ### Why this score?
15
27
 
16
- ## Vulnerabilities
28
+ - Supply Chain is 19 because: 1 known CVEs, in breach database, risky dependencies
29
+ - Community is 48 because: no GitHub repo found
17
30
 
18
- **1 vulnerabilities** (Critical: 1, High: 0, Medium: 0)
31
+ ## Vulnerabilities (1 vulnerability)
32
+
33
+ | Severity | Count |
34
+ |----------|-------|
35
+ | 🔴 Critical | 1 |
19
36
 
20
37
  - [CVE-2023-45857](https://nvd.nist.gov/vuln/detail/CVE-2023-45857)
21
38
  - [CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)
22
39
 
23
- ## Flags
24
-
25
- - **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
26
- - **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
27
- - **HIGH**: 1 direct dependencies have known security issues
28
- - **HIGH**: Depends on "follow-redirects" which has SSRF CVE-2024-28849
29
- - **MEDIUM**: New maintainer(s) added in v0.11.0: nickuraltsev
30
- - **MEDIUM**: New maintainer(s) added in v0.20.0: emilyemorehouse
31
- - **MEDIUM**: New maintainer(s) added in v0.21.2: jasonsaayman
32
- - **MEDIUM**: Single maintainer — bus factor risk
33
- - **MEDIUM**: No GitHub repo found — community signals unavailable
34
- - **INFO**: Published with 2FA enabled (signed)
35
- - **INFO**: Package has provenance signatures
36
- - **INFO**: Has test framework dependency
40
+ ## Key Risk Flags
37
41
 
38
- ## 🛠️ What Should You Do?
42
+ - 🔴 **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
43
+ - 🔴 **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
44
+ - 🟠 **HIGH**: 1 direct dependencies have known security issues
45
+ - 🟠 **HIGH**: Depends on "follow-redirects" which has SSRF CVE-2024-28849
39
46
 
40
- **Immediate actions:**
41
- - ⛔ RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
42
- - ⛔ 1 CRITICAL vulnerability(ies) from live CVE databases
47
+ ## 🛠️ What Should You Do?
43
48
 
44
- **Review:**
45
- - 🟠 1 direct dependencies have known security issues
46
- - 🟠 Depends on "follow-redirects" which has SSRF CVE-2024-28849
49
+ **Immediate:**
50
+ - Upgrade to the latest version (`npm update axios`)
51
+ - Or replace with [got](https://nrupak.com/trust/got)
47
52
 
48
- **Pin your version** and monitor for changes.
53
+ **Always:** Pin version, run `pkgtrust scan` in CI, monitor at [nrupak.com/trust/axios](https://nrupak.com/trust/axios)
49
54
 
50
- ## 🔄 Alternatives
55
+ ## 🔄 Safer Alternatives
51
56
 
52
- | Package | Why |
53
- |---------|-----|
54
- | [got](https://nrupak.com/trust/got) | No known breaches, better error handling |
55
- | [node-fetch](https://nrupak.com/trust/node-fetch) | Lightweight, fewer dependencies |
56
- | [undici](https://nrupak.com/trust/undici) | Node.js built-in HTTP client (Node 18+) |
57
+ | Package | Why | Trust Report |
58
+ |---------|-----|-------------|
59
+ | **got** | No known breaches, better error handling | [View score](https://nrupak.com/trust/got) |
60
+ | **node-fetch** | Lightweight, fewer dependencies | [View score](https://nrupak.com/trust/node-fetch) |
61
+ | **undici** | Node.js built-in HTTP client (Node 18+) | [View score](https://nrupak.com/trust/undici) |
57
62
 
58
63
  ## Maintainers
59
64
 
60
- - jasonsaayman ✅ 2FA
65
+ - [jasonsaayman](https://nrupak.com/trust/maintainer/jasonsaayman) ✅ 2FA (org)
61
66
 
62
- **Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
67
+ **Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)
68
+
69
+ **Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan axios` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust)
70
+ **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
63
71
 
64
72
  ---
65
- *[pkgtrust](https://nrupak.com/trust/axios) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust) | Updated 2026-04-02*
73
+
74
+ *Report by [pkgtrust](https://nrupak.com/trust/axios) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
75
+
76
+ *This is an automated security report. Not affiliated with the axios team. Updated 2026-04-02.*
package/package.json CHANGED
@@ -1,17 +1,31 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-axios",
3
- "version": "1.0.1",
4
- "description": "Security Trust Report for axios — 62/100 (C+, standard). 8 security databases.",
3
+ "version": "1.0.3",
4
+ "description": "Security Trust Report: axios@1.14.0 — 62/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
+ "axios",
6
7
  "axios",
7
8
  "security",
9
+ "security-report",
8
10
  "trust-score",
9
11
  "vulnerability",
12
+ "npm-audit",
13
+ "npm-security",
14
+ "supply-chain",
10
15
  "pkgtrust",
11
- "CVE"
16
+ "audit",
17
+ "scan",
18
+ "risk",
19
+ "risk-assessment",
20
+ "CVE-2023-45857",
21
+ "CVE-2024-28849",
22
+ "got",
23
+ "node-fetch",
24
+ "undici",
25
+ "standard"
12
26
  ],
13
27
  "license": "MIT",
14
- "author": "Nrupak Shah",
28
+ "author": "Nrupak Shah <nrupaks@gmail.com>",
15
29
  "repository": {
16
30
  "type": "git",
17
31
  "url": "https://github.com/nrupaks/pkgtrust"