@cyberhub/trust-colors 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +77 -38
  2. package/package.json +16 -4
package/README.md CHANGED
@@ -1,62 +1,101 @@
1
1
  # Security Trust Report: colors
2
2
 
3
- **Score: 47/100 | Grade: C | Tier: CAUTION** (confidence: ±3)
3
+ **colors@1.4.0: 47/100 | Grade: C | Tier: CAUTION** (confidence: ±3)
4
4
 
5
- > ⚠️ Notable risk factors. Review flags and actions below.
5
+ > Data verified on 2026-04-02 from 8 security databases.
6
+
7
+ ## TL;DR
8
+
9
+ - **1 vulnerability found** (1 critical, 0 high)
10
+ - Consider switching to **chalk** (Most popular terminal color library)
11
+ - **Action required:** Review flags below and upgrade or replace this package
12
+
13
+ ## ⚠️ Security Incident Background
14
+
15
+ In January 2022, maintainer marak deliberately sabotaged the package by adding an infinite loop, causing applications to print garbage text. This was a protest against large corporations using open-source without compensation.
6
16
 
7
17
  ## Score Breakdown
8
18
 
9
- | Category | Score |
10
- |----------|-------|
11
- | Maintainer Trust | 44/100 |
12
- | Package Health | 88/100 |
13
- | Supply Chain | 10/100 |
14
- | Community | 47/100 |
19
+ ```
20
+ Maintainer Trust: █████████░░░░░░░░░░░ 44/100
21
+ Package Health: ██████████████████░░ 88/100
22
+ Supply Chain: ██░░░░░░░░░░░░░░░░░░ 10/100
23
+ Community: █████████░░░░░░░░░░░ 47/100
24
+ ```
15
25
 
16
- ## Vulnerabilities
26
+ ### Why this score?
17
27
 
18
- **1 vulnerabilities** (Critical: 1, High: 0, Medium: 0)
28
+ - Maintainer Trust is 44 because: single maintainer (bus factor risk)
29
+ - Supply Chain is 10 because: 1 known CVEs, in breach database
30
+ - Community is 47 because: no GitHub repo found
19
31
 
32
+ ## Vulnerabilities (1 vulnerability)
20
33
 
34
+ | Severity | Count |
35
+ |----------|-------|
36
+ | 🔴 Critical | 1 |
21
37
 
22
- ## Flags
38
+ ## Key Risk Flags
23
39
 
24
- - **CRITICAL**: Package name "colors" is 2 edit(s) from popular "cors"
25
- - **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged with infinite loop (2022)
26
- - **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
27
- - **CRITICAL**: Maintainer "marak" has history of package sabotage
28
- - **MEDIUM**: New maintainer(s) added in v0.5.1: marak
29
- - **MEDIUM**: New maintainer(s) added in v1.2.0-rc0: dabh
30
- - **MEDIUM**: Single maintainer — bus factor risk
31
- - **MEDIUM**: Package dormant — last published 2383 days ago
32
- - **MEDIUM**: No GitHub repo found — community signals unavailable
33
- - **LOW**: Single maintainer using free email service
34
- - **LOW**: High-download package with no detected test framework
35
- - **INFO**: Published with 2FA enabled (signed)
40
+ - 🔴 **CRITICAL**: Package name "colors" is 2 edit(s) from popular "cors"
41
+ - 🔴 **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged with infinite loop (2022)
42
+ - 🔴 **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
43
+ - 🔴 **CRITICAL**: Maintainer "marak" has history of package sabotage
36
44
 
37
45
  ## 🛠️ What Should You Do?
38
46
 
39
- **Immediate actions:**
40
- - Package name "colors" is 2 edit(s) from popular "cors"
41
- - HISTORICAL BREACH: Maintainer sabotaged with infinite loop (2022)
42
- - 1 CRITICAL vulnerability(ies) from live CVE databases
43
-
47
+ **Immediate:**
48
+ - Upgrade to the latest version (`npm update colors`)
49
+ - Review the security incident details above
50
+ - Consider replacing with [chalk](https://nrupak.com/trust/chalk)
44
51
 
45
- **Replace this package** with a safer alternative (see below).
52
+ **Always:**
53
+ - Pin exact version: `"colors": "1.4.0"`
54
+ - Run `pkgtrust scan` in your CI pipeline
55
+ - Monitor: [nrupak.com/trust/colors](https://nrupak.com/trust/colors)
46
56
 
47
- ## 🔄 Alternatives
57
+ ## 🔄 Safer Alternatives
48
58
 
49
- | Package | Why |
50
- |---------|-----|
51
- | [chalk](https://nrupak.com/trust/chalk) | Most popular terminal color library |
52
- | [picocolors](https://nrupak.com/trust/picocolors) | Tiny, fast, zero dependencies |
53
- | [kleur](https://nrupak.com/trust/kleur) | Lightweight alternative |
59
+ | Package | Why | Trust Report |
60
+ |---------|-----|-------------|
61
+ | **chalk** | Most popular terminal color library | [View score](https://nrupak.com/trust/chalk) |
62
+ | **picocolors** | Tiny, fast, zero dependencies | [View score](https://nrupak.com/trust/picocolors) |
63
+ | **kleur** | Lightweight alternative | [View score](https://nrupak.com/trust/kleur) |
54
64
 
55
65
  ## Maintainers
56
66
 
57
- - marak ✅ 2FA
67
+ - **marak** ✅ 2FA enabled (freemail)
68
+
69
+ ## Methodology
70
+
71
+ This score is computed from **18+ signals** across **4 categories**:
72
+ - **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
73
+ - **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
74
+ - **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
75
+ - **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
58
76
 
59
- **Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
77
+ [Full scoring methodology →](https://nrupak.com/trust)
78
+
79
+ ## Check Your Project
80
+
81
+ ```bash
82
+ # Install pkgtrust
83
+ npm install -g @cyberhub/pkgtrust
84
+
85
+ # Scan a specific package
86
+ pkgtrust scan colors
87
+
88
+ # Scan all your dependencies
89
+ pkgtrust scan
90
+
91
+ # Compare alternatives
92
+ pkgtrust compare colors chalk picocolors
93
+ ```
94
+
95
+ **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
60
96
 
61
97
  ---
62
- *[pkgtrust](https://nrupak.com/trust/colors) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust) | Updated 2026-04-02*
98
+
99
+ *Report by [pkgtrust](https://nrupak.com/trust/colors) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
100
+
101
+ *This is an automated security report. Not affiliated with the colors team. Updated 2026-04-02.*
package/package.json CHANGED
@@ -1,17 +1,29 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-colors",
3
- "version": "1.0.1",
4
- "description": "Security Trust Report for colors — 47/100 (C, caution). 8 security databases.",
3
+ "version": "1.0.3",
4
+ "description": "Security Trust Report: colors@1.4.0 — 47/100 (C, caution). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
+ "colors",
6
7
  "colors",
7
8
  "security",
9
+ "security-report",
8
10
  "trust-score",
9
11
  "vulnerability",
12
+ "npm-audit",
13
+ "npm-security",
14
+ "supply-chain",
10
15
  "pkgtrust",
11
- "CVE"
16
+ "audit",
17
+ "scan",
18
+ "risk",
19
+ "risk-assessment",
20
+ "chalk",
21
+ "picocolors",
22
+ "kleur",
23
+ "caution"
12
24
  ],
13
25
  "license": "MIT",
14
- "author": "Nrupak Shah",
26
+ "author": "Nrupak Shah <nrupaks@gmail.com>",
15
27
  "repository": {
16
28
  "type": "git",
17
29
  "url": "https://github.com/nrupaks/pkgtrust"