npm - @cyberhub/trust-event-stream - Versions diffs - 1.0.62 → 1.0.64 - Mend

@cyberhub/trust-event-stream 1.0.62 → 1.0.64

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +23 -19
package/package.json +3 -2

package/README.md CHANGED Viewed

@@ -1,12 +1,12 @@
 # Security Trust Report: event-stream
-**event-stream@4.0.1: 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
+**[event-stream@4.0.1](https://www.npmjs.com/package/event-stream): 53/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
-> Data verified on 2026-04-02 from 8 security databases.
+> Scanned on 2026-04-10 from 8 security databases. [View package on npm →](https://www.npmjs.com/package/event-stream)
 ## TL;DR
-- **Security incident detected** — compromised via account takeover/sabotage
+- **1 vulnerability found** (1 critical, 0 high)
 - Consider switching to **highland** (High-level streams library)
 - Pin your version and monitor for changes
@@ -20,25 +20,29 @@ In November 2018, a malicious contributor (@right9ctrl) gained maintainer access
 Maintainer Trust:  █████████░░░░░░░░░░░ 44/100
 Package Health:    █████████████████░░░ 86/100
 Supply Chain:      ████████░░░░░░░░░░░░ 39/100
-Community:         █████████░░░░░░░░░░░ 46/100
+Community:         ████████░░░░░░░░░░░░ 41/100
 ```
 ### Why this score?
 - Maintainer Trust is 44 because: single maintainer (bus factor risk), maintainer changes detected
-- Supply Chain is 39 because: 1 security incident(s) in breach database, in breach database
-- Community is 46 because: no public GitHub repo linked (may be private or on another platform)
+- Supply Chain is 39 because: 1 known CVEs, in breach database
+- Community is 41 because: GitHub repo inactive
-## ⚠️ Security Incident
+## Vulnerabilities (1 vulnerability)
-This package was compromised via account takeover/sabotage (no CVE assigned). See Security Incident Background above for details.
+| Severity | Count |
+|----------|-------|
+| 🔴 Critical | 1 |
+- [GHSA-mh6f-8j2x-4483](https://github.com/advisories/GHSA-mh6f-8j2x-4483)
 ## Key Risk Flags
 - 🔴 **CRITICAL**: HISTORICAL BREACH: Malicious code injected via flatmap-stream (2018)
-- 🔴 **CRITICAL**: 1 CRITICAL security incident from breach database (no CVE assigned)
+- 🔴 **CRITICAL**: 1 CRITICAL vulnerability from live CVE databases
 - 🟠 **HIGH**: Primary maintainer account is less than 6 months old (0 days)
-- 🟠 **HIGH**: Maintainer(s) removed in v4.0.0: dominictarr
+- 🟠 **HIGH**: Maintainer(s) removed in v4.0.0: dominictarr ([evidence](https://www.npmjs.com/package/event-stream/v/4.0.0))
 - 🟠 **HIGH**: Burst publishing detected — 5+ versions in a single day
 ## 🛠️ What Should You Do?
@@ -52,23 +56,23 @@ This package was compromised via account takeover/sabotage (no CVE assigned). Se
 ## 🔄 Safer Alternatives
-| Package | Why | Trust Report |
-|---------|-----|-------------|
-| **highland** | High-level streams library | [View score](https://nrupak.com/trust/highland) |
-| **Node.js streams** | Built-in, no dependency needed | [View score](https://nrupak.com/trust/Node.js%20streams) |
-| **through2** | Simple stream wrapper | [View score](https://nrupak.com/trust/through2) |
+| Package | Why | npm | Trust Score |
+|---------|-----|-----|-------------|
+| **highland** | High-level streams library | [npm](https://www.npmjs.com/package/highland) | [View score](https://nrupak.com/trust/highland) |
+| **Node.js streams** | Built-in, no dependency needed | [npm](https://www.npmjs.com/package/Node.js%20streams) | [View score](https://nrupak.com/trust/Node.js%20streams) |
+| **through2** | Simple stream wrapper | [npm](https://www.npmjs.com/package/through2) | [View score](https://nrupak.com/trust/through2) |
-## Maintainers
+## Maintainers (1)
-- [npm](https://nrupak.com/trust/maintainer/npm) ✅ 2FA (org)
+- [npm](https://www.npmjs.com/~npm) ✅ 2FA (org email) — [Trust profile](https://nrupak.com/trust/maintainer/npm)
 **Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)
 **Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan event-stream` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust)
-**Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
+**Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev · CISA KEV · Packagephobia · OpenSSF Scorecard · Ecosyste.ms · GitHub Enhanced · Keybase · npm Provenance
 ---
 *Report by [pkgtrust](https://nrupak.com/trust/event-stream) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
-*This is an automated security report. Not affiliated with the event-stream team. Updated 2026-04-02.*
+*This is an automated security report. Not affiliated with the event-stream team. Updated 2026-04-10.*

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@cyberhub/trust-event-stream",
-  "version": "1.0.62",
-  "description": "Security Trust Report: event-stream@4.0.1 — 54/100 (C, standard). Security incident detected. Maintainer risk, supply chain analysis from 8 security databases.",
+  "version": "1.0.64",
+  "description": "Security Trust Report: event-stream@4.0.1 — 53/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
   "keywords": [
     "event-stream",
     "event-stream",
@@ -17,6 +17,7 @@
     "scan",
     "risk",
     "risk-assessment",
+    "GHSA-mh6f-8j2x-4483",
     "highland",
     "Node.js streams",
     "through2",