@cyberhub/trust-colors 1.0.0 → 1.0.2

package/README.md

@@ -1,38 +1,101 @@
 # Security Trust Report: colors
 
-**Score: 56/100 | Grade: C+ | Tier: STANDARD**
+**colors@1.4.0: 47/100 | Grade: C | Tier: CAUTION** (confidence: ±3)
 
-> This package has notable risk factors. Review flags below.
+> Data verified on 2026-04-02 from 8 security databases.
+
+## TL;DR
+
+- **1 vulnerability found** (1 critical, 0 high)
+- Consider switching to **chalk** (Most popular terminal color library)
+- **Action required:** Review flags below and upgrade or replace this package
+
+## ⚠️ Security Incident Background
+
+In January 2022, maintainer marak deliberately sabotaged the package by adding an infinite loop, causing applications to print garbage text. This was a protest against large corporations using open-source without compensation.
 
 ## Score Breakdown
 
-| Category | Score |
+```
+Maintainer Trust:  █████████░░░░░░░░░░░ 44/100
+Package Health:    ██████████████████░░ 88/100
+Supply Chain:      ██░░░░░░░░░░░░░░░░░░ 10/100
+Community:         █████████░░░░░░░░░░░ 47/100
+```
+
+### Why this score?
+
+- Maintainer Trust is 44 because: single maintainer (bus factor risk)
+- Supply Chain is 10 because: 1 known CVEs, in breach database
+- Community is 47 because: no GitHub repo found
+
+## Vulnerabilities (1 vulnerability)
+
+| Severity | Count |
 |----------|-------|
-| Maintainer Trust | 44/100 |
-| Package Health | 99/100 |
-| Supply Chain | 35/100 |
-| Community | 47/100 |
+| 🔴 Critical | 1 |
+
+## Key Risk Flags
+
+- 🔴 **CRITICAL**: Package name "colors" is 2 edit(s) from popular "cors"
+- 🔴 **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged with infinite loop (2022)
+- 🔴 **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
+- 🔴 **CRITICAL**: Maintainer "marak" has history of package sabotage
+
+## 🛠️ What Should You Do?
 
-## Vulnerabilities
+**Immediate:**
+- Upgrade to the latest version (`npm update colors`)
+- Review the security incident details above
+- Consider replacing with [chalk](https://nrupak.com/trust/chalk)
 
-No known vulnerabilities.
+**Always:**
+- Pin exact version: `"colors": "1.4.0"`
+- Run `pkgtrust scan` in your CI pipeline
+- Monitor: [nrupak.com/trust/colors](https://nrupak.com/trust/colors)
 
-## Flags
+## 🔄 Safer Alternatives
 
-- **CRITICAL**: Package name "colors" is 2 edit(s) from popular "cors"
-- **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged with infinite loop (2022)
-- **CRITICAL**: Maintainer "marak" has history of package sabotage
-- **MEDIUM**: New maintainer(s) added in v0.5.1: marak
-- **MEDIUM**: New maintainer(s) added in v1.2.0-rc0: dabh
-- **MEDIUM**: Single maintainer — bus factor risk
-- **MEDIUM**: Package dormant — last published 2383 days ago
-- **MEDIUM**: No GitHub repo found — community signals unavailable
-- **LOW**: Single maintainer using free email service
-- **INFO**: Published with 2FA enabled (signed)
+| Package | Why | Trust Report |
+|---------|-----|-------------|
+| **chalk** | Most popular terminal color library | [View score](https://nrupak.com/trust/chalk) |
+| **picocolors** | Tiny, fast, zero dependencies | [View score](https://nrupak.com/trust/picocolors) |
+| **kleur** | Lightweight alternative | [View score](https://nrupak.com/trust/kleur) |
 
 ## Maintainers
 
-- marak (2FA)
+- **marak** ✅ 2FA enabled (freemail)
+
+## Methodology
+
+This score is computed from **18+ signals** across **4 categories**:
+- **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
+- **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
+- **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
+- **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
+
+[Full scoring methodology →](https://nrupak.com/trust)
+
+## Check Your Project
+
+```bash
+# Install pkgtrust
+npm install -g @cyberhub/pkgtrust
+
+# Scan a specific package
+pkgtrust scan colors
+
+# Scan all your dependencies
+pkgtrust scan
+
+# Compare alternatives
+pkgtrust compare colors chalk picocolors
+```
+
+**Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
 
 ---
-*[pkgtrust](https://nrupak.com/trust/colors) | [Dashboard](https://nrupak.com/trust) | Updated 2026-04-02*
+
+*Report by [pkgtrust](https://nrupak.com/trust/colors) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
+
+*This is an automated security report. Not affiliated with the colors team. Updated 2026-04-02.*

package/package.json

@@ -1,17 +1,29 @@
 {
   "name": "@cyberhub/trust-colors",
-  "version": "1.0.0",
-  "description": "Security Trust Report for colors — 56/100 (C+, standard). Maintainer risk and vulnerability analysis from 8 security databases.",
+  "version": "1.0.2",
+  "description": "Security Trust Report: colors@1.4.0 — 47/100 (C, caution). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
   "keywords": [
+    "colors",
     "colors",
     "security",
+    "security-report",
     "trust-score",
     "vulnerability",
+    "npm-audit",
+    "npm-security",
+    "supply-chain",
     "pkgtrust",
-    "CVE"
+    "audit",
+    "scan",
+    "risk",
+    "risk-assessment",
+    "chalk",
+    "picocolors",
+    "kleur",
+    "caution"
   ],
   "license": "MIT",
-  "author": "Nrupak Shah",
+  "author": "Nrupak Shah <nrupaks@gmail.com>",
   "repository": {
     "type": "git",
     "url": "https://github.com/nrupaks/pkgtrust"