@cyberhub/trust-axios 1.0.4 → 1.0.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyberhub/trust-axios",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "Security Trust Report: axios@1.14.0 — 64/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
   "keywords": [
     "axios",
@@ -30,5 +30,6 @@
     "type": "git",
     "url": "https://github.com/nrupaks/pkgtrust"
   },
-  "homepage": "https://nrupak.com/trust/axios"
+  "homepage": "https://nrupak.com/trust/axios",
+  "readme": "# Security Trust Report: axios\n\n**[axios@1.14.0](https://www.npmjs.com/package/axios): 64/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)\n\n> Scanned on 2026-04-03 from 8 security databases. [View package on npm →](https://www.npmjs.com/package/axios)\n\n## TL;DR\n\n- **1 vulnerability found** (1 critical, 0 high)\n- Consider switching to **got** (No known breaches, better error handling)\n- Pin your version and monitor for changes\n\n## ⚠️ Security Incident Background\n\nCVE-2023-45857: CSRF token theft via cookie exposure. CVE-2024-28849: SSRF vulnerability via follow-redirects dependency allowing proxy-authorization header leak. The North Korea-linked Lazarus Group targeted axios in typosquatting campaigns.\n\n## Score Breakdown\n\n```\nMaintainer Trust:  ████████████████░░░░ 80/100\nPackage Health:    ██████████████████░░ 89/100\nSupply Chain:      █████░░░░░░░░░░░░░░░ 26/100\nCommunity:         ██████████░░░░░░░░░░ 48/100\n```\n\n### Why this score?\n\n- Supply Chain is 26 because: 1 known CVEs, in breach database, risky dependencies\n- Community is 48 because: no public GitHub repo linked (may be private or on another platform)\n\n## Vulnerabilities (1 vulnerability)\n\n| Severity | Count |\n|----------|-------|\n| 🔴 Critical | 1 |\n\n- [CVE-2023-45857](https://nvd.nist.gov/vuln/detail/CVE-2023-45857)\n- [CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)\n\n## Key Risk Flags\n\n- 🔴 **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024) ([evidence](https://nvd.nist.gov/vuln/detail/CVE-2023-45857))\n- 🔴 **CRITICAL**: 1 CRITICAL vulnerability from live CVE databases\n- 🟠 **HIGH**: 1 direct dependencies have known security issues\n\n## 🛠️ What Should You Do?\n\n**Immediate:**\n- Upgrade to the latest version (`npm update axios`)\n- Or replace with [got](https://nrupak.com/trust/got)\n\n**Always:** Pin version, run `pkgtrust scan` in CI, monitor at [nrupak.com/trust/axios](https://nrupak.com/trust/axios)\n\n## 🔄 Safer Alternatives\n\n| Package | Why | npm | Trust Score |\n|---------|-----|-----|-------------|\n| **got** | No known breaches, better error handling | [npm](https://www.npmjs.com/package/got) | [View score](https://nrupak.com/trust/got) |\n| **node-fetch** | Lightweight, fewer dependencies | [npm](https://www.npmjs.com/package/node-fetch) | [View score](https://nrupak.com/trust/node-fetch) |\n| **undici** | Node.js built-in HTTP client (Node 18+) | [npm](https://www.npmjs.com/package/undici) | [View score](https://nrupak.com/trust/undici) |\n\n## Maintainers (1)\n\n- [jasonsaayman](https://www.npmjs.com/~jasonsaayman) ✅ 2FA (org email) — [Trust profile](https://nrupak.com/trust/maintainer/jasonsaayman)\n\n**Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)\n\n**Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan axios` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust)\n**Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev\n\n---\n\n*Report by [pkgtrust](https://nrupak.com/trust/axios) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*\n\n*This is an automated security report. Not affiliated with the axios team. Updated 2026-04-03.*"
 }