@cyberhub/trust-event-stream 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +89 -22
  2. package/package.json +16 -5
package/README.md CHANGED
@@ -1,35 +1,102 @@
1
1
  # Security Trust Report: event-stream
2
2
 
3
- **Score: 62/100 | Grade: C+ | Tier: STANDARD**
3
+ **event-stream@4.0.1: 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
4
4
 
5
- > This package was COMPROMISED in 2018. A malicious maintainer injected cryptocurrency-stealing code via the flatmap-stream dependency.
5
+ > Data verified on 2026-04-02 from 8 security databases.
6
+
7
+ ## TL;DR
8
+
9
+ - **1 vulnerability found** (1 critical, 0 high)
10
+ - Consider switching to **highland** (High-level streams library)
11
+ - Pin your version and monitor for changes
12
+
13
+ ## ⚠️ Security Incident Background
14
+
15
+ In November 2018, a malicious contributor (@right9ctrl) gained maintainer access through social engineering and injected a cryptocurrency-stealing payload via the flatmap-stream dependency. The attack targeted Copay Bitcoin wallets and affected 2M+ downstream projects.
6
16
 
7
17
  ## Score Breakdown
8
18
 
9
- | Category | Score |
19
+ ```
20
+ Maintainer Trust: █████████░░░░░░░░░░░ 44/100
21
+ Package Health: █████████████████░░░ 86/100
22
+ Supply Chain: ████████░░░░░░░░░░░░ 39/100
23
+ Community: █████████░░░░░░░░░░░ 46/100
24
+ ```
25
+
26
+ ### Why this score?
27
+
28
+ - Maintainer Trust is 44 because: single maintainer (bus factor risk), maintainer changes detected
29
+ - Supply Chain is 39 because: 1 known CVEs, in breach database
30
+ - Community is 46 because: no GitHub repo found
31
+
32
+ ## Vulnerabilities (1 vulnerability)
33
+
34
+ | Severity | Count |
10
35
  |----------|-------|
11
- | Maintainer Trust | 44/100 |
12
- | Package Health | 94/100 |
13
- | Supply Chain | 64/100 |
14
- | Community | 46/100 |
36
+ | 🔴 Critical | 1 |
37
+
38
+ ## Key Risk Flags
39
+
40
+ - 🔴 **CRITICAL**: HISTORICAL BREACH: Malicious code injected via flatmap-stream (2018)
41
+ - 🔴 **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
42
+ - 🟠 **HIGH**: Primary maintainer account is less than 6 months old (0 days)
43
+ - 🟠 **HIGH**: Maintainer(s) removed in v4.0.0: dominictarr
44
+ - 🟠 **HIGH**: Burst publishing detected — 5+ versions in a single day
45
+
46
+ ## 🛠️ What Should You Do?
47
+
48
+ **Immediate:**
49
+ - Upgrade to the latest version (`npm update event-stream`)
50
+ - Review the security incident details above
51
+ - Consider replacing with [highland](https://nrupak.com/trust/highland)
15
52
 
16
- ## Flags
53
+ **Always:**
54
+ - Pin exact version: `"event-stream": "4.0.1"`
55
+ - Run `pkgtrust scan` in your CI pipeline
56
+ - Monitor: [nrupak.com/trust/event-stream](https://nrupak.com/trust/event-stream)
17
57
 
18
- - **CRITICAL**: HISTORICAL BREACH: Malicious code injected via flatmap-stream (2018)
19
- - **HIGH**: Primary maintainer account is less than 6 months old (0 days)
20
- - **HIGH**: Maintainer(s) removed in v4.0.0: dominictarr
21
- - **HIGH**: Burst publishing detected — 5+ versions in a single day
22
- - **MEDIUM**: Maintainer has only published 0 version(s)
23
- - **MEDIUM**: New maintainer(s) added in v3.3.5: right9ctrl
24
- - **MEDIUM**: Single maintainer — bus factor risk
25
- - **MEDIUM**: Package dormant — last published 2742 days ago
26
- - **MEDIUM**: No GitHub repo found — community signals unavailable
27
- - **LOW**: Erratic publish cadence — highly irregular release intervals
58
+ ## 🔄 Safer Alternatives
28
59
 
29
- ## Recommendation
60
+ | Package | Why | Trust Report |
61
+ |---------|-----|-------------|
62
+ | **highland** | High-level streams library | [View score](https://nrupak.com/trust/highland) |
63
+ | **Node.js streams** | Built-in, no dependency needed | [View score](https://nrupak.com/trust/Node.js%20streams) |
64
+ | **through2** | Simple stream wrapper | [View score](https://nrupak.com/trust/through2) |
30
65
 
31
- Do NOT use event-stream. Use Node.js built-in streams or highland instead.
66
+ ## Maintainers
67
+
68
+ - **npm** ✅ 2FA enabled (org email)
69
+
70
+ ## Methodology
71
+
72
+ This score is computed from **18+ signals** across **4 categories**:
73
+ - **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
74
+ - **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
75
+ - **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
76
+ - **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
77
+
78
+ [Full scoring methodology →](https://nrupak.com/trust)
79
+
80
+ ## Check Your Project
81
+
82
+ ```bash
83
+ # Install pkgtrust
84
+ npm install -g @cyberhub/pkgtrust
85
+
86
+ # Scan a specific package
87
+ pkgtrust scan event-stream
88
+
89
+ # Scan all your dependencies
90
+ pkgtrust scan
91
+
92
+ # Compare alternatives
93
+ pkgtrust compare event-stream highland Node.js streams
94
+ ```
95
+
96
+ **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
32
97
 
33
98
  ---
34
- *Report by [pkgtrust](https://nrupak.com/trust/event-stream) — Updated 2026-04-02*
35
- *[Dashboard](https://nrupak.com/trust) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
99
+
100
+ *Report by [pkgtrust](https://nrupak.com/trust/event-stream) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
101
+
102
+ *This is an automated security report. Not affiliated with the event-stream team. Updated 2026-04-02.*
package/package.json CHANGED
@@ -1,18 +1,29 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-event-stream",
3
- "version": "1.0.0",
4
- "description": "Security Trust Report for event-stream — 62/100 (C+, standard). COMPROMISED PACKAGE. Maintainer risk and supply chain analysis from 8 security databases.",
3
+ "version": "1.0.2",
4
+ "description": "Security Trust Report: event-stream@4.0.154/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
+ "event-stream",
6
7
  "event-stream",
7
8
  "security",
9
+ "security-report",
8
10
  "trust-score",
9
11
  "vulnerability",
12
+ "npm-audit",
13
+ "npm-security",
14
+ "supply-chain",
10
15
  "pkgtrust",
11
- "compromised",
12
- "supply-chain-attack"
16
+ "audit",
17
+ "scan",
18
+ "risk",
19
+ "risk-assessment",
20
+ "highland",
21
+ "Node.js streams",
22
+ "through2",
23
+ "standard"
13
24
  ],
14
25
  "license": "MIT",
15
- "author": "Nrupak Shah",
26
+ "author": "Nrupak Shah <nrupaks@gmail.com>",
16
27
  "repository": {
17
28
  "type": "git",
18
29
  "url": "https://github.com/nrupaks/pkgtrust"