@cyberhub/trust-faker 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +79 -40
  2. package/package.json +16 -4
package/README.md CHANGED
@@ -1,63 +1,102 @@
1
1
  # Security Trust Report: faker
2
2
 
3
- **Score: 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
3
+ **faker@6.6.6: 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
4
4
 
5
- > ⚠️ Notable risk factors. Review flags and actions below.
5
+ > Data verified on 2026-04-02 from 8 security databases.
6
+
7
+ ## TL;DR
8
+
9
+ - **1 vulnerability found** (0 critical, 1 high)
10
+ - Consider switching to **@faker-js/faker** (Community fork, actively maintained)
11
+ - Pin your version and monitor for changes
12
+
13
+ ## ⚠️ Security Incident Background
14
+
15
+ In January 2022, the same maintainer (marak) deleted all code from faker and replaced it with a protest message. The community fork @faker-js/faker was created to restore the functionality.
6
16
 
7
17
  ## Score Breakdown
8
18
 
9
- | Category | Score |
10
- |----------|-------|
11
- | Maintainer Trust | 38/100 |
12
- | Package Health | 90/100 |
13
- | Supply Chain | 47/100 |
14
- | Community | 43/100 |
19
+ ```
20
+ Maintainer Trust: ████████░░░░░░░░░░░░ 38/100
21
+ Package Health: ██████████████████░░ 90/100
22
+ Supply Chain: █████████░░░░░░░░░░░ 47/100
23
+ Community: █████████░░░░░░░░░░░ 43/100
24
+ ```
15
25
 
16
- ## Vulnerabilities
26
+ ### Why this score?
17
27
 
18
- **1 vulnerabilities** (Critical: 0, High: 1, Medium: 0)
28
+ - Maintainer Trust is 38 because: single maintainer (bus factor risk), maintainer changes detected
29
+ - Supply Chain is 47 because: 1 known CVEs, in breach database
30
+ - Community is 43 because: no GitHub repo found
31
+
32
+ ## Vulnerabilities (1 vulnerability)
33
+
34
+ | Severity | Count |
35
+ |----------|-------|
36
+ | 🟠 High | 1 |
19
37
 
20
38
  - [GHSA-5w9c-rv96-fr7g](https://github.com/advisories/GHSA-5w9c-rv96-fr7g)
21
39
 
22
- ## Flags
23
-
24
- - **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged — deleted all code (2022)
25
- - **CRITICAL**: Maintainer "marak" has history of package sabotage
26
- - **HIGH**: Maintainer(s) removed in v2.1.4: fotoverite
27
- - **HIGH**: 1 HIGH severity vulnerability(ies) detected
28
- - **MEDIUM**: New maintainer(s) added in v2.0.0: marak
29
- - **MEDIUM**: Single maintainer — bus factor risk
30
- - **MEDIUM**: Package dormant — last published 1548 days ago
31
- - **MEDIUM**: No GitHub repo found — community signals unavailable
32
- - **LOW**: Erratic publish cadence — highly irregular release intervals
33
- - **LOW**: Single maintainer using free email service
34
- - **INFO**: Published with 2FA enabled (signed)
35
- - **INFO**: Package has provenance signatures
40
+ ## Key Risk Flags
36
41
 
37
- ## 🛠️ What Should You Do?
42
+ - 🔴 **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged — deleted all code (2022)
43
+ - 🔴 **CRITICAL**: Maintainer "marak" has history of package sabotage
44
+ - 🟠 **HIGH**: Maintainer(s) removed in v2.1.4: fotoverite
45
+ - 🟠 **HIGH**: 1 HIGH severity vulnerability(ies) detected
38
46
 
39
- **Immediate actions:**
40
- - ⛔ HISTORICAL BREACH: Maintainer sabotaged — deleted all code (2022)
41
- - ⛔ Maintainer "marak" has history of package sabotage
47
+ ## 🛠️ What Should You Do?
42
48
 
43
- **Review:**
44
- - 🟠 Maintainer(s) removed in v2.1.4: fotoverite
45
- - 🟠 1 HIGH severity vulnerability(ies) detected
49
+ **Immediate:**
50
+ - Upgrade to the latest version (`npm update faker`)
51
+ - Review the security incident details above
52
+ - Consider replacing with [@faker-js/faker](https://nrupak.com/trust/%40faker-js%2Ffaker)
46
53
 
47
- **Pin your version** and monitor for changes.
54
+ **Always:**
55
+ - Pin exact version: `"faker": "6.6.6"`
56
+ - Run `pkgtrust scan` in your CI pipeline
57
+ - Monitor: [nrupak.com/trust/faker](https://nrupak.com/trust/faker)
48
58
 
49
- ## 🔄 Alternatives
59
+ ## 🔄 Safer Alternatives
50
60
 
51
- | Package | Why |
52
- |---------|-----|
53
- | [@faker-js/faker](https://nrupak.com/trust/%40faker-js%2Ffaker) | Community fork, actively maintained |
54
- | [chance](https://nrupak.com/trust/chance) | Random data generator |
61
+ | Package | Why | Trust Report |
62
+ |---------|-----|-------------|
63
+ | **@faker-js/faker** | Community fork, actively maintained | [View score](https://nrupak.com/trust/%40faker-js%2Ffaker) |
64
+ | **chance** | Random data generator | [View score](https://nrupak.com/trust/chance) |
55
65
 
56
66
  ## Maintainers
57
67
 
58
- - marak ✅ 2FA
68
+ - **marak** ✅ 2FA enabled (freemail)
59
69
 
60
- **Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
70
+ ## Methodology
71
+
72
+ This score is computed from **18+ signals** across **4 categories**:
73
+ - **Maintainer Trust (35%)**: Account age, 2FA, publish cadence, maintainer changes, email domain
74
+ - **Package Health (25%)**: Install scripts, dependency count, license, provenance, size changes, code quality
75
+ - **Supply Chain (25%)**: Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
76
+ - **Community (15%)**: GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality
77
+
78
+ [Full scoring methodology →](https://nrupak.com/trust)
79
+
80
+ ## Check Your Project
81
+
82
+ ```bash
83
+ # Install pkgtrust
84
+ npm install -g @cyberhub/pkgtrust
85
+
86
+ # Scan a specific package
87
+ pkgtrust scan faker
88
+
89
+ # Scan all your dependencies
90
+ pkgtrust scan
91
+
92
+ # Compare alternatives
93
+ pkgtrust compare faker @faker-js/faker chance
94
+ ```
95
+
96
+ **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
61
97
 
62
98
  ---
63
- *[pkgtrust](https://nrupak.com/trust/faker) | [Compare](https://nrupak.com/trust/compare) | [CLI](https://npmjs.com/package/@cyberhub/pkgtrust) | Updated 2026-04-02*
99
+
100
+ *Report by [pkgtrust](https://nrupak.com/trust/faker) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
101
+
102
+ *This is an automated security report. Not affiliated with the faker team. Updated 2026-04-02.*
package/package.json CHANGED
@@ -1,17 +1,29 @@
1
1
  {
2
2
  "name": "@cyberhub/trust-faker",
3
- "version": "1.0.1",
4
- "description": "Security Trust Report for faker — 54/100 (C, standard). 8 security databases.",
3
+ "version": "1.0.2",
4
+ "description": "Security Trust Report: faker@6.6.6 — 54/100 (C, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
5
5
  "keywords": [
6
+ "faker",
6
7
  "faker",
7
8
  "security",
9
+ "security-report",
8
10
  "trust-score",
9
11
  "vulnerability",
12
+ "npm-audit",
13
+ "npm-security",
14
+ "supply-chain",
10
15
  "pkgtrust",
11
- "CVE"
16
+ "audit",
17
+ "scan",
18
+ "risk",
19
+ "risk-assessment",
20
+ "GHSA-5w9c-rv96-fr7g",
21
+ "@faker-js/faker",
22
+ "chance",
23
+ "standard"
12
24
  ],
13
25
  "license": "MIT",
14
- "author": "Nrupak Shah",
26
+ "author": "Nrupak Shah <nrupaks@gmail.com>",
15
27
  "repository": {
16
28
  "type": "git",
17
29
  "url": "https://github.com/nrupaks/pkgtrust"