npm - @cyberhub/trust-event-stream - Versions diffs - 1.0.0 → 1.0.1 - Mend

@cyberhub/trust-event-stream 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +38 -8
package/package.json +3 -4

package/README.md CHANGED Viewed

@@ -1,21 +1,28 @@
 # Security Trust Report: event-stream
-**Score: 62/100 | Grade: C+ | Tier: STANDARD**
+**Score: 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
-> This package was COMPROMISED in 2018. A malicious maintainer injected cryptocurrency-stealing code via the flatmap-stream dependency.
+> ⚠️ Notable risk factors. Review flags and actions below.
 ## Score Breakdown
 | Category | Score |
 |----------|-------|
 | Maintainer Trust | 44/100 |
-| Package Health | 94/100 |
-| Supply Chain | 64/100 |
+| Package Health | 86/100 |
+| Supply Chain | 39/100 |
 | Community | 46/100 |
+## Vulnerabilities
+**1 vulnerabilities** (Critical: 1, High: 0, Medium: 0)
 ## Flags
 - **CRITICAL**: HISTORICAL BREACH: Malicious code injected via flatmap-stream (2018)
+- **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
 - **HIGH**: Primary maintainer account is less than 6 months old (0 days)
 - **HIGH**: Maintainer(s) removed in v4.0.0: dominictarr
 - **HIGH**: Burst publishing detected — 5+ versions in a single day
@@ -25,11 +32,34 @@
 - **MEDIUM**: Package dormant — last published 2742 days ago
 - **MEDIUM**: No GitHub repo found — community signals unavailable
 - **LOW**: Erratic publish cadence — highly irregular release intervals
+- **INFO**: Published with 2FA enabled (signed)
+## 🛠️ What Should You Do?
+**Immediate actions:**
+- ⛔ HISTORICAL BREACH: Malicious code injected via flatmap-stream (2018)
+- ⛔ 1 CRITICAL vulnerability(ies) from live CVE databases
+**Review:**
+- 🟠 Primary maintainer account is less than 6 months old (0 days)
+- 🟠 Maintainer(s) removed in v4.0.0: dominictarr
+- 🟠 Burst publishing detected — 5+ versions in a single day
+**Pin your version** and monitor for changes.
+## 🔄 Alternatives
+| Package | Why |
+|---------|-----|
+| [highland](https://nrupak.com/trust/highland) | High-level streams library |
+| [Node.js streams](https://nrupak.com/trust/Node.js%20streams) | Built-in, no dependency needed |
+| [through2](https://nrupak.com/trust/through2) | Simple stream wrapper |
+## Maintainers
-## Recommendation
+- npm ✅ 2FA
-Do NOT use event-stream. Use Node.js built-in streams or highland instead.
+**Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
 ---
-*Report by [pkgtrust](https://nrupak.com/trust/event-stream) — Updated 2026-04-02*
-*[Dashboard](https://nrupak.com/trust) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
+*[pkgtrust](https://nrupak.com/trust/event-stream) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust) | Updated 2026-04-02*

package/package.json CHANGED Viewed

@@ -1,15 +1,14 @@
 {
   "name": "@cyberhub/trust-event-stream",
-  "version": "1.0.0",
-  "description": "Security Trust Report for event-stream — 62/100 (C+, standard). COMPROMISED PACKAGE. Maintainer risk and supply chain analysis from 8 security databases.",
+  "version": "1.0.1",
+  "description": "Security Trust Report for event-stream — 54/100 (C, standard). 8 security databases.",
   "keywords": [
     "event-stream",
     "security",
     "trust-score",
     "vulnerability",
     "pkgtrust",
-    "compromised",
-    "supply-chain-attack"
+    "CVE"
   ],
   "license": "MIT",
   "author": "Nrupak Shah",