@cyberhub/trust-event-stream 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +78 -41
  2. package/package.json +16 -4
package/README.md CHANGED
@@ -1,65 +1,102 @@
1
1
  # Security Trust Report: event-stream
2
2
 
3
- **Score: 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
3
+ **event-stream@4.0.1: 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
4
4
 
5
- > ⚠️ Notable risk factors. Review flags and actions below.
5
+ > Data verified on 2026-04-02 from 8 security databases.
6
+
7
+ ## TL;DR
8
+
9
+ - **1 vulnerability found** (1 critical, 0 high)
10
+ - Consider switching to **highland** (High-level streams library)
11
+ - Pin your version and monitor for changes
12
+
13
+ ## ⚠️ Security Incident Background
14
+
15
+ In November 2018, a malicious contributor (@right9ctrl) gained maintainer access through social engineering and injected a cryptocurrency-stealing payload via the flatmap-stream dependency. The attack targeted Copay Bitcoin wallets and affected 2M+ downstream projects.
6
16
 
7
17
  ## Score Breakdown
8
18
 
9
- | Category | Score |
10
- |----------|-------|
11
- | Maintainer Trust | 44/100 |
12
- | Package Health | 86/100 |
13
- | Supply Chain | 39/100 |
14
- | Community | 46/100 |
19
+ ```
20
+ Maintainer Trust: █████████░░░░░░░░░░░ 44/100
21
+ Package Health: █████████████████░░░ 86/100
22
+ Supply Chain: ████████░░░░░░░░░░░░ 39/100
23
+ Community: █████████░░░░░░░░░░░ 46/100
24
+ ```
15
25
 
16
- ## Vulnerabilities
26
+ ### Why this score?
17
27
 
18
- **1 vulnerabilities** (Critical: 1, High: 0, Medium: 0)
28
+ - Maintainer Trust is 44 because: single maintainer (bus factor risk), maintainer changes detected
29
+ - Supply Chain is 39 because: 1 known CVEs, in breach database
30
+ - Community is 46 because: no GitHub repo found
19
31
 
32
+ ## Vulnerabilities (1 vulnerability)
20
33
 
34
+ | Severity | Count |
35
+ |----------|-------|
36
+ | 🔴 Critical | 1 |
21
37
 
22
- ## Flags
38
+ ## Key Risk Flags
23
39
 
24
- - **CRITICAL**: HISTORICAL BREACH: Malicious code injected via flatmap-stream (2018)
25
- - **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
26
- - **HIGH**: Primary maintainer account is less than 6 months old (0 days)
27
- - **HIGH**: Maintainer(s) removed in v4.0.0: dominictarr
28
- - **HIGH**: Burst publishing detected — 5+ versions in a single day
29
- - **MEDIUM**: Maintainer has only published 0 version(s)
30
- - **MEDIUM**: New maintainer(s) added in v3.3.5: right9ctrl
31
- - **MEDIUM**: Single maintainer — bus factor risk
32
- - **MEDIUM**: Package dormant — last published 2742 days ago
33
- - **MEDIUM**: No GitHub repo found — community signals unavailable
34
- - **LOW**: Erratic publish cadence — highly irregular release intervals
35
- - **INFO**: Published with 2FA enabled (signed)
40
+ - 🔴 **CRITICAL**: HISTORICAL BREACH: Malicious code injected via flatmap-stream (2018)
41
+ - 🔴 **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
42
+ - 🟠 **HIGH**: Primary maintainer account is less than 6 months old (0 days)
43
+ - 🟠 **HIGH**: Maintainer(s) removed in v4.0.0: dominictarr
44
+ - 🟠 **HIGH**: Burst publishing detected — 5+ versions in a single day
36
45
 
37
46
  ## 🛠️ What Should You Do?
38
47
 
39
- **Immediate actions:**
40
- - HISTORICAL BREACH: Malicious code injected via flatmap-stream (2018)
41
- - 1 CRITICAL vulnerability(ies) from live CVE databases
42
-
43
- **Review:**
44
- - 🟠 Primary maintainer account is less than 6 months old (0 days)
45
- - 🟠 Maintainer(s) removed in v4.0.0: dominictarr
46
- - 🟠 Burst publishing detected — 5+ versions in a single day
48
+ **Immediate:**
49
+ - Upgrade to the latest version (`npm update event-stream`)
50
+ - Review the security incident details above
51
+ - Consider replacing with [highland](https://nrupak.com/trust/highland)
47
52
 
48
- **Pin your version** and monitor for changes.
53
+ **Always:**
54
+ - Pin exact version: `"event-stream": "4.0.1"`
55
+ - Run `pkgtrust scan` in your CI pipeline
56
+ - Monitor: [nrupak.com/trust/event-stream](https://nrupak.com/trust/event-stream)
49
57
 
50
- ## 🔄 Alternatives
58
+ ## 🔄 Safer Alternatives
51
59
 
52
- | Package | Why |
53
- |---------|-----|
54
- | [highland](https://nrupak.com/trust/highland) | High-level streams library |
55
- | [Node.js streams](https://nrupak.com/trust/Node.js%20streams) | Built-in, no dependency needed |
56
- | [through2](https://nrupak.com/trust/through2) | Simple stream wrapper |
60
+ | Package | Why | Trust Report |
61
+ |---------|-----|-------------|
62
+ | **highland** | High-level streams library | [View score](https://nrupak.com/trust/highland) |
63
+ | **Node.js streams** | Built-in, no dependency needed | [View score](https://nrupak.com/trust/Node.js%20streams) |
64
+ | **through2** | Simple stream wrapper | [View score](https://nrupak.com/trust/through2) |
57
65
 
58
66
  ## Maintainers
59
67
 
60
- - npm ✅ 2FA
68
+ - **npm** ✅ 2FA enabled (org email)
69
+
70
+ ## Methodology
71
+
72
+ This score is computed from **18+ signals** across **4 categories**:
73
+ - **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
74
+ - **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
75
+ - **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
76
+ - **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
61
77
 
62
- **Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
78
+ [Full scoring methodology →](https://nrupak.com/trust)
79
+
80
+ ## Check Your Project
81
+
82
+ ```bash
83
+ # Install pkgtrust
84
+ npm install -g @cyberhub/pkgtrust
85
+
86
+ # Scan a specific package
87
+ pkgtrust scan event-stream
88
+
89
+ # Scan all your dependencies
90
+ pkgtrust scan
91
+
92
+ # Compare alternatives
93
+ pkgtrust compare event-stream highland Node.js streams
94
+ ```
95
+
96
+ **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
63
97
 
64
98
  ---
65
- *[pkgtrust](https://nrupak.com/trust/event-stream) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust) | Updated 2026-04-02*
99
+
100
+ *Report by [pkgtrust](https://nrupak.com/trust/event-stream) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
101
+
102
+ *This is an automated security report. Not affiliated with the event-stream team. Updated 2026-04-02.*
package/package.json CHANGED
@@ -1,17 +1,29 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-event-stream",
3
- "version": "1.0.1",
4
- "description": "Security Trust Report for event-stream — 54/100 (C, standard). 8 security databases.",
3
+ "version": "1.0.2",
4
+ "description": "Security Trust Report: event-stream@4.0.1 — 54/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
+ "event-stream",
6
7
  "event-stream",
7
8
  "security",
9
+ "security-report",
8
10
  "trust-score",
9
11
  "vulnerability",
12
+ "npm-audit",
13
+ "npm-security",
14
+ "supply-chain",
10
15
  "pkgtrust",
11
- "CVE"
16
+ "audit",
17
+ "scan",
18
+ "risk",
19
+ "risk-assessment",
20
+ "highland",
21
+ "Node.js streams",
22
+ "through2",
23
+ "standard"
12
24
  ],
13
25
  "license": "MIT",
14
- "author": "Nrupak Shah",
26
+ "author": "Nrupak Shah <nrupaks@gmail.com>",
15
27
  "repository": {
16
28
  "type": "git",
17
29
  "url": "https://github.com/nrupaks/pkgtrust"