@cyberhub/trust-colors 1.0.5 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +9 -37
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -29,11 +29,9 @@ Community: █████████░░░░░░░░░░░
29
29
  - Supply Chain is 10 because: 1 known CVEs, in breach database
30
30
  - Community is 47 because: no GitHub repo found
31
31
 
32
- ## Vulnerabilities (1 vulnerability)
32
+ ## ⚠️ Security Incident
33
33
 
34
- | Severity | Count |
35
- |----------|-------|
36
- | 🔴 Critical | 1 |
34
+ This package was compromised via account takeover/sabotage (no CVE assigned). See Security Incident Background above for details.
37
35
 
38
36
  ## Key Risk Flags
39
37
 
@@ -45,14 +43,11 @@ Community: █████████░░░░░░░░░░░
45
43
  ## 🛠️ What Should You Do?
46
44
 
47
45
  **Immediate:**
48
- - Upgrade to the latest version (`npm update colors`)
49
- - Review the security incident details above
50
- - Consider replacing with [chalk](https://nrupak.com/trust/chalk)
46
+ - 📌 Pin to known-safe version: **1.4.0 (before sabotage)**
47
+ - 🔄 Or replace with [chalk](https://nrupak.com/trust/chalk) — Most popular terminal color library
48
+ - 📖 Review the security incident above
51
49
 
52
- **Always:**
53
- - Pin exact version: `"colors": "1.4.0"`
54
- - Run `pkgtrust scan` in your CI pipeline
55
- - Monitor: [nrupak.com/trust/colors](https://nrupak.com/trust/colors)
50
+ **Always:** Pin version, run `pkgtrust scan` in CI, monitor at [nrupak.com/trust/colors](https://nrupak.com/trust/colors)
56
51
 
57
52
  ## 🔄 Safer Alternatives
58
53
 
@@ -64,34 +59,11 @@ Community: █████████░░░░░░░░░░░
64
59
 
65
60
  ## Maintainers
66
61
 
67
- - **marak** 2FA enabled (freemail)
62
+ - **[marak](https://nrupak.com/trust/maintainer/marak)** COMPROMISED: Deliberately sabotaged colors and faker (2022)
68
63
 
69
- ## Methodology
70
-
71
- This score is computed from **18+ signals** across **4 categories**:
72
- - **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
73
- - **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
74
- - **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
75
- - **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
76
-
77
- [Full scoring methodology →](https://nrupak.com/trust)
78
-
79
- ## Check Your Project
80
-
81
- ```bash
82
- # Install pkgtrust
83
- npm install -g @cyberhub/pkgtrust
84
-
85
- # Scan a specific package
86
- pkgtrust scan colors
87
-
88
- # Scan all your dependencies
89
- pkgtrust scan
90
-
91
- # Compare alternatives
92
- pkgtrust compare colors chalk picocolors
93
- ```
64
+ **Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)
94
65
 
66
+ **Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan colors` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust)
95
67
  **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
96
68
 
97
69
  ---
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-colors",
3
- "version": "1.0.5",
3
+ "version": "1.0.6",
4
4
  "description": "Security Trust Report: colors@1.4.0 — 47/100 (C, caution). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
6
  "colors",