npm - @cyberhub/trust-next - Versions diffs - 1.0.0 → 1.0.1 - Mend

@cyberhub/trust-next 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +58 -23
package/package.json +18 -4

package/README.md CHANGED Viewed

@@ -1,38 +1,73 @@
 # Security Trust Report: next
-**Score: 81/100 | Grade: B+ | Tier: TRUSTED**
+**[next@16.2.2](https://www.npmjs.com/package/next): 54/100 | Grade: C | Tier: STANDARD** (confidence: ±3)
-> This package has notable risk factors. Review flags below.
+> Scanned on 2026-04-06 from 8 security databases. [View package on npm →](https://www.npmjs.com/package/next)
+## TL;DR
+- **41 vulnerabilities found** (2 critical, 14 high)
+- Pin your version and monitor for changes
 ## Score Breakdown
-| Category | Score |
+```
+Maintainer Trust:  ███████████████░░░░░ 75/100
+Package Health:    █████████████████░░░ 85/100
+Supply Chain:      ░░░░░░░░░░░░░░░░░░░░ 0/100
+Community:         █████████░░░░░░░░░░░ 45/100
+```
+### Why this score?
+- Supply Chain is 0 because: 41 known CVEs
+- Community is 45 because: no public GitHub repo linked (may be private or on another platform)
+## Vulnerabilities (41 vulnerabilities)
+| Severity | Count |
 |----------|-------|
-| Maintainer Trust | 75/100 |
-| Package Health | 94/100 |
-| Supply Chain | 98/100 |
-| Community | 45/100 |
+| 🔴 Critical | 2 |
+| 🟠 High | 14 |
+| 🟡 Medium | 19 |
+| ⚪ Low | 6 |
-## Vulnerabilities
+- [CVE-2026-29057](https://nvd.nist.gov/vuln/detail/CVE-2026-29057)
+- [GHSA-ggv3-7p47-pfv8](https://github.com/advisories/GHSA-ggv3-7p47-pfv8)
+- [CVE-2026-27980](https://nvd.nist.gov/vuln/detail/CVE-2026-27980)
+- [GHSA-3x4c-7xq6-9pq8](https://github.com/advisories/GHSA-3x4c-7xq6-9pq8)
+- [CVE-2026-27979](https://nvd.nist.gov/vuln/detail/CVE-2026-27979)
+- [GHSA-h27x-g6w4-24gq](https://github.com/advisories/GHSA-h27x-g6w4-24gq)
+- [CVE-2026-27978](https://nvd.nist.gov/vuln/detail/CVE-2026-27978)
+- [GHSA-mq59-m269-xvcx](https://github.com/advisories/GHSA-mq59-m269-xvcx)
-**1 vulnerabilities** (Critical: 0, High: 0)
+## Key Risk Flags
-## Flags
+- 🔴 **CRITICAL**: 2 CRITICAL vulnerabilities from live CVE databases
+- 🟠 **HIGH**: Maintainer(s) removed in v15.0.0-canary.39: rauchg, timneutkens, vercel-release-bot ([evidence](https://www.npmjs.com/package/next/v/15.0.0-canary.39))
+- 🟠 **HIGH**: Maintainer(s) removed in v16.2.0-canary.6: rauchg, timneutkens ([evidence](https://www.npmjs.com/package/next/v/16.2.0-canary.6))
+- 🟠 **HIGH**: Burst publishing detected — 5+ versions in a single day
+- 🟠 **HIGH**: 14 HIGH vulnerabilities detected
-- **HIGH**: Maintainer(s) removed in v15.0.0-canary.39: rauchg, timneutkens, vercel-release-bot
-- **HIGH**: Maintainer(s) removed in v16.2.0-canary.6: rauchg, timneutkens
-- **HIGH**: Burst publishing detected — 5+ versions in a single day
-- **MEDIUM**: New maintainer(s) added in v15.0.0-canary.52: rauchg, timneutkens, vercel-release-bot
-- **MEDIUM**: New maintainer(s) added in v16.2.0-canary.6: zeit-bot
-- **MEDIUM**: No GitHub repo found — community signals unavailable
-- **LOW**: Erratic publish cadence — highly irregular release intervals
-- **INFO**: Published with 2FA enabled (signed)
-- **INFO**: Package has provenance signatures
+## 🛠️ What Should You Do?
-## Maintainers
+**Immediate:**
+- Upgrade to the latest version (`npm update next`)
-- vercel-release-bot (2FA)
-- zeit-bot (2FA)
+**Always:** Pin version, run `pkgtrust scan` in CI, monitor at [nrupak.com/trust/next](https://nrupak.com/trust/next)
+## Maintainers (2)
+- [vercel-release-bot](https://www.npmjs.com/~vercel-release-bot) ✅ 2FA (org email) — [Trust profile](https://nrupak.com/trust/maintainer/vercel-release-bot)
+- [zeit-bot](https://www.npmjs.com/~zeit-bot) ✅ 2FA (org email) — [Trust profile](https://nrupak.com/trust/maintainer/zeit-bot)
+**Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)
+**Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan next` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust)
+**Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev
 ---
-*[pkgtrust](https://nrupak.com/trust/next) | [Dashboard](https://nrupak.com/trust) | Updated 2026-04-02*
+*Report by [pkgtrust](https://nrupak.com/trust/next) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
+*This is an automated security report. Not affiliated with the next team. Updated 2026-04-06.*

package/package.json CHANGED Viewed

@@ -1,17 +1,31 @@
 {
   "name": "@cyberhub/trust-next",
-  "version": "1.0.0",
-  "description": "Security Trust Report for next — 81/100 (B+, trusted). Maintainer risk and vulnerability analysis from 8 security databases.",
+  "version": "1.0.1",
+  "description": "Security Trust Report: next@16.2.2 — 54/100 (C, standard). 41 vulnerabilities found. Maintainer risk, supply chain analysis from 8 security databases.",
   "keywords": [
+    "next",
     "next",
     "security",
+    "security-report",
     "trust-score",
     "vulnerability",
+    "npm-audit",
+    "npm-security",
+    "supply-chain",
     "pkgtrust",
-    "CVE"
+    "audit",
+    "scan",
+    "risk",
+    "risk-assessment",
+    "CVE-2026-29057",
+    "GHSA-ggv3-7p47-pfv8",
+    "CVE-2026-27980",
+    "GHSA-3x4c-7xq6-9pq8",
+    "CVE-2026-27979",
+    "standard"
   ],
   "license": "MIT",
-  "author": "Nrupak Shah",
+  "author": "Nrupak Shah <nrupaks@gmail.com>",
   "repository": {
     "type": "git",
     "url": "https://github.com/nrupaks/pkgtrust"