npm - @cyberhub/trust-faker - Versions diffs - 1.0.0 → 1.0.2 - Mend

@cyberhub/trust-faker 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +86 -22
package/package.json +16 -4

package/README.md CHANGED Viewed

@@ -1,38 +1,102 @@
 # Security Trust Report: faker
-**Score: 56/100 | Grade: C+ | Tier: STANDARD**
+**faker@6.6.6: 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
-> This package has notable risk factors. Review flags below.
+> Data verified on 2026-04-02 from 8 security databases.
+## TL;DR
+- **1 vulnerability found** (0 critical, 1 high)
+- Consider switching to **@faker-js/faker** (Community fork, actively maintained)
+- Pin your version and monitor for changes
+## ⚠️ Security Incident Background
+In January 2022, the same maintainer (marak) deleted all code from faker and replaced it with a protest message. The community fork @faker-js/faker was created to restore the functionality.
 ## Score Breakdown
-| Category | Score |
+```
+Maintainer Trust:  ████████░░░░░░░░░░░░ 38/100
+Package Health:    ██████████████████░░ 90/100
+Supply Chain:      █████████░░░░░░░░░░░ 47/100
+Community:         █████████░░░░░░░░░░░ 43/100
+```
+### Why this score?
+- Maintainer Trust is 38 because: single maintainer (bus factor risk), maintainer changes detected
+- Supply Chain is 47 because: 1 known CVEs, in breach database
+- Community is 43 because: no GitHub repo found
+## Vulnerabilities (1 vulnerability)
+| Severity | Count |
 |----------|-------|
-| Maintainer Trust | 38/100 |
-| Package Health | 99/100 |
-| Supply Chain | 47/100 |
-| Community | 43/100 |
+| 🟠 High | 1 |
+- [GHSA-5w9c-rv96-fr7g](https://github.com/advisories/GHSA-5w9c-rv96-fr7g)
+## Key Risk Flags
+- 🔴 **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged — deleted all code (2022)
+- 🔴 **CRITICAL**: Maintainer "marak" has history of package sabotage
+- 🟠 **HIGH**: Maintainer(s) removed in v2.1.4: fotoverite
+- 🟠 **HIGH**: 1 HIGH severity vulnerability(ies) detected
+## 🛠️ What Should You Do?
-## Vulnerabilities
+**Immediate:**
+- Upgrade to the latest version (`npm update faker`)
+- Review the security incident details above
+- Consider replacing with [@faker-js/faker](https://nrupak.com/trust/%40faker-js%2Ffaker)
-**1 vulnerabilities** (Critical: 0, High: 1)
+**Always:**
+- Pin exact version: `"faker": "6.6.6"`
+- Run `pkgtrust scan` in your CI pipeline
+- Monitor: [nrupak.com/trust/faker](https://nrupak.com/trust/faker)
-## Flags
+## 🔄 Safer Alternatives
-- **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged — deleted all code (2022)
-- **CRITICAL**: Maintainer "marak" has history of package sabotage
-- **HIGH**: Maintainer(s) removed in v2.1.4: fotoverite
-- **HIGH**: 1 HIGH severity vulnerability(ies) detected
-- **MEDIUM**: New maintainer(s) added in v2.0.0: marak
-- **MEDIUM**: Single maintainer — bus factor risk
-- **MEDIUM**: Package dormant — last published 1548 days ago
-- **MEDIUM**: No GitHub repo found — community signals unavailable
-- **LOW**: Erratic publish cadence — highly irregular release intervals
-- **LOW**: Single maintainer using free email service
+| Package | Why | Trust Report |
+|---------|-----|-------------|
+| **@faker-js/faker** | Community fork, actively maintained | [View score](https://nrupak.com/trust/%40faker-js%2Ffaker) |
+| **chance** | Random data generator | [View score](https://nrupak.com/trust/chance) |
 ## Maintainers
-- marak (2FA)
+- **marak** ✅ 2FA enabled (freemail)
+## Methodology
+This score is computed from **18+ signals** across **4 categories**:
+- **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
+- **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
+- **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
+- **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
+[Full scoring methodology →](https://nrupak.com/trust)
+## Check Your Project
+```bash
+# Install pkgtrust
+npm install -g @cyberhub/pkgtrust
+# Scan a specific package
+pkgtrust scan faker
+# Scan all your dependencies
+pkgtrust scan
+# Compare alternatives
+pkgtrust compare faker @faker-js/faker chance
+```
+**Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
 ---
-*[pkgtrust](https://nrupak.com/trust/faker) | [Dashboard](https://nrupak.com/trust) | Updated 2026-04-02*
+*Report by [pkgtrust](https://nrupak.com/trust/faker) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
+*This is an automated security report. Not affiliated with the faker team. Updated 2026-04-02.*

package/package.json CHANGED Viewed

@@ -1,17 +1,29 @@
 {
   "name": "@cyberhub/trust-faker",
-  "version": "1.0.0",
-  "description": "Security Trust Report for faker — 56/100 (C+, standard). Maintainer risk and vulnerability analysis from 8 security databases.",
+  "version": "1.0.2",
+  "description": "Security Trust Report: faker@6.6.6 — 54/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
   "keywords": [
+    "faker",
     "faker",
     "security",
+    "security-report",
     "trust-score",
     "vulnerability",
+    "npm-audit",
+    "npm-security",
+    "supply-chain",
     "pkgtrust",
-    "CVE"
+    "audit",
+    "scan",
+    "risk",
+    "risk-assessment",
+    "GHSA-5w9c-rv96-fr7g",
+    "@faker-js/faker",
+    "chance",
+    "standard"
   ],
   "license": "MIT",
-  "author": "Nrupak Shah",
+  "author": "Nrupak Shah <nrupaks@gmail.com>",
   "repository": {
     "type": "git",
     "url": "https://github.com/nrupaks/pkgtrust"