@cyberhub/trust-event-stream 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +9 -37
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -29,11 +29,9 @@ Community: █████████░░░░░░░░░░░
29
29
  - Supply Chain is 39 because: 1 known CVEs, in breach database
30
30
  - Community is 46 because: no GitHub repo found
31
31
 
32
- ## Vulnerabilities (1 vulnerability)
32
+ ## ⚠️ Security Incident
33
33
 
34
- | Severity | Count |
35
- |----------|-------|
36
- | 🔴 Critical | 1 |
34
+ This package was compromised via account takeover/sabotage (no CVE assigned). See Security Incident Background above for details.
37
35
 
38
36
  ## Key Risk Flags
39
37
 
@@ -46,14 +44,11 @@ Community: █████████░░░░░░░░░░░
46
44
  ## 🛠️ What Should You Do?
47
45
 
48
46
  **Immediate:**
49
- - Upgrade to the latest version (`npm update event-stream`)
50
- - Review the security incident details above
51
- - Consider replacing with [highland](https://nrupak.com/trust/highland)
47
+ - 📌 Pin to known-safe version: **3.3.4 (before flatmap-stream injection)**
48
+ - 🔄 Or replace with [highland](https://nrupak.com/trust/highland) — High-level streams library
49
+ - 📖 Review the security incident above
52
50
 
53
- **Always:**
54
- - Pin exact version: `"event-stream": "4.0.1"`
55
- - Run `pkgtrust scan` in your CI pipeline
56
- - Monitor: [nrupak.com/trust/event-stream](https://nrupak.com/trust/event-stream)
51
+ **Always:** Pin version, run `pkgtrust scan` in CI, monitor at [nrupak.com/trust/event-stream](https://nrupak.com/trust/event-stream)
57
52
 
58
53
  ## 🔄 Safer Alternatives
59
54
 
@@ -65,34 +60,11 @@ Community: █████████░░░░░░░░░░░
65
60
 
66
61
  ## Maintainers
67
62
 
68
- - **npm** ✅ 2FA enabled (org email)
63
+ - [npm](https://nrupak.com/trust/maintainer/npm) ✅ 2FA (org)
69
64
 
70
- ## Methodology
71
-
72
- This score is computed from **18+ signals** across **4 categories**:
73
- - **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
74
- - **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
75
- - **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
76
- - **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
77
-
78
- [Full scoring methodology →](https://nrupak.com/trust)
79
-
80
- ## Check Your Project
81
-
82
- ```bash
83
- # Install pkgtrust
84
- npm install -g @cyberhub/pkgtrust
85
-
86
- # Scan a specific package
87
- pkgtrust scan event-stream
88
-
89
- # Scan all your dependencies
90
- pkgtrust scan
91
-
92
- # Compare alternatives
93
- pkgtrust compare event-stream highland Node.js streams
94
- ```
65
+ **Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)
95
66
 
67
+ **Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan event-stream` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust)
96
68
  **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
97
69
 
98
70
  ---
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-event-stream",
3
- "version": "1.0.4",
3
+ "version": "1.0.6",
4
4
  "description": "Security Trust Report: event-stream@4.0.1 — 54/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
6
  "event-stream",