@cyberhub/trust-axios 1.0.8 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +22 -16
  2. package/package.json +8 -8
package/README.md CHANGED
@@ -1,12 +1,12 @@
1
1
  # Security Trust Report: axios
2
2
 
3
- **[axios@1.14.0](https://www.npmjs.com/package/axios): 64/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
3
+ **[axios@1.14.0](https://www.npmjs.com/package/axios): 65/100 | Grade: B | Tier: STANDARD** (confidence: ±3)
4
4
 
5
- > Scanned on 2026-04-03 from 8 security databases. [View package on npm →](https://www.npmjs.com/package/axios)
5
+ > Scanned on 2026-04-08 from 8 security databases. [View package on npm →](https://www.npmjs.com/package/axios)
6
6
 
7
7
  ## TL;DR
8
8
 
9
- - **1 vulnerability found** (1 critical, 0 high)
9
+ - **8 vulnerabilities found** (0 critical, 6 high)
10
10
  - Consider switching to **got** (No known breaches, better error handling)
11
11
  - Pin your version and monitor for changes
12
12
 
@@ -18,29 +18,35 @@ CVE-2023-45857: CSRF token theft via cookie exposure. CVE-2024-28849: SSRF vulne
18
18
 
19
19
  ```
20
20
  Maintainer Trust: ████████████████░░░░ 80/100
21
- Package Health: ██████████████████░░ 89/100
22
- Supply Chain: █████░░░░░░░░░░░░░░░ 26/100
23
- Community: ██████████░░░░░░░░░░ 48/100
21
+ Package Health: ███████████████████░ 93/100
22
+ Supply Chain: ░░░░░░░░░░░░░░░░░░░░ 0/100
23
+ Community: ███████████████████░ 93/100
24
24
  ```
25
25
 
26
26
  ### Why this score?
27
27
 
28
- - Supply Chain is 26 because: 1 known CVEs, in breach database, risky dependencies
29
- - Community is 48 because: no public GitHub repo linked (may be private or on another platform)
28
+ - Supply Chain is 0 because: 8 known CVEs, in breach database, risky dependencies
30
29
 
31
- ## Vulnerabilities (1 vulnerability)
30
+ ## Vulnerabilities (8 vulnerabilities)
32
31
 
33
32
  | Severity | Count |
34
33
  |----------|-------|
35
- | 🔴 Critical | 1 |
36
-
37
- - [CVE-2023-45857](https://nvd.nist.gov/vuln/detail/CVE-2023-45857)
38
- - [CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)
34
+ | 🟠 High | 6 |
35
+ | 🟡 Medium | 2 |
36
+
37
+ - [CVE-2026-25639](https://nvd.nist.gov/vuln/detail/CVE-2026-25639)
38
+ - [GHSA-43fc-jf86-j433](https://github.com/advisories/GHSA-43fc-jf86-j433)
39
+ - [CVE-2025-58754](https://nvd.nist.gov/vuln/detail/CVE-2025-58754)
40
+ - [GHSA-4hjh-wcwx-xvwj](https://github.com/advisories/GHSA-4hjh-wcwx-xvwj)
41
+ - [CVE-2025-27152](https://nvd.nist.gov/vuln/detail/CVE-2025-27152)
42
+ - [GHSA-jr5f-v2jv-69x6](https://github.com/advisories/GHSA-jr5f-v2jv-69x6)
43
+ - [CVE-2024-39338](https://nvd.nist.gov/vuln/detail/CVE-2024-39338)
44
+ - [GHSA-8hc4-vh64-cxmj](https://github.com/advisories/GHSA-8hc4-vh64-cxmj)
39
45
 
40
46
  ## Key Risk Flags
41
47
 
42
48
  - 🔴 **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024) ([evidence](https://nvd.nist.gov/vuln/detail/CVE-2023-45857))
43
- - 🔴 **CRITICAL**: 1 CRITICAL vulnerability from live CVE databases
49
+ - 🟠 **HIGH**: 6 HIGH vulnerabilities detected
44
50
  - 🟠 **HIGH**: 1 direct dependencies have known security issues
45
51
 
46
52
  ## 🛠️ What Should You Do?
@@ -66,10 +72,10 @@ Community: ██████████░░░░░░░░░░
66
72
  **Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)
67
73
 
68
74
  **Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan axios` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust)
69
- **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
75
+ **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev · CISA KEV · Packagephobia · OpenSSF Scorecard · Ecosyste.ms · GitHub Enhanced · Keybase · npm Provenance
70
76
 
71
77
  ---
72
78
 
73
79
  *Report by [pkgtrust](https://nrupak.com/trust/axios) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
74
80
 
75
- *This is an automated security report. Not affiliated with the axios team. Updated 2026-04-03.*
81
+ *This is an automated security report. Not affiliated with the axios team. Updated 2026-04-08.*
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-axios",
3
- "version": "1.0.8",
4
- "description": "Security Trust Report: axios@1.14.0 — 64/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
3
+ "version": "1.0.9",
4
+ "description": "Security Trust Report: axios@1.14.0 — 65/100 (B, standard). 8 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
6
  "axios",
7
7
  "axios",
@@ -17,12 +17,12 @@
17
17
  "scan",
18
18
  "risk",
19
19
  "risk-assessment",
20
- "CVE-2023-45857",
21
- "CVE-2024-28849",
22
- "got",
23
- "node-fetch",
24
- "undici",
25
- "standard"
20
+ "CVE-2026-25639",
21
+ "GHSA-43fc-jf86-j433",
22
+ "CVE-2025-58754",
23
+ "GHSA-4hjh-wcwx-xvwj",
24
+ "CVE-2025-27152",
25
+ "got"
26
26
  ],
27
27
  "license": "MIT",
28
28
  "author": "Nrupak Shah <nrupaks@gmail.com>",