Installations
npm install @npmcli/arborist
Releases
libnpmversion: v8.0.0-pre.0
Published on 26 Nov 2024
libnpmteam: v8.0.0-pre.0
Published on 26 Nov 2024
libnpmsearch: v9.0.0-pre.0
Published on 26 Nov 2024
libnpmpublish: v11.0.0-pre.0
Published on 26 Nov 2024
libnpmpack: v9.0.0-pre.0
Published on 26 Nov 2024
libnpmorg: v8.0.0-pre.0
Published on 26 Nov 2024
Developer
Developer Guide
Module System
CommonJS
Min. Node Version
^18.17.0 || >=20.5.0
Typescript Support
No
Node Version
22.7.0
NPM Version
10.9.0
Statistics
8,520 Stars
12,623 Commits
3,194 Forks
220 Watching
23 Branches
920 Contributors
Updated on 27 Nov 2024
Languages
JavaScript (99.72%)
Handlebars (0.17%)
Shell (0.08%)
Batchfile (0.01%)
PowerShell (0.01%)
Total Downloads
Cumulative downloads
Total Downloads
255,565,398
Last day
3.2%
500,292
Compared to previous day
Last week
4.6%
2,724,877
Compared to previous week
Last month
9.8%
11,156,728
Compared to previous month
Last year
28.5%
108,891,388
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
35
npm - a JavaScript package manager
Requirements
One of the following versions of Node.js must be installed to run npm
:
18.x.x
>=18.17.0
20.5.0
or higher
Installation
npm
comes bundled with node
, & most third-party distributions, by default. Officially supported downloads/distributions can be found at: nodejs.org/en/download
Direct Download
You can download & install npm
directly from npmjs.com using our custom install.sh
script:
1curl -qL https://www.npmjs.com/install.sh | sh
Node Version Managers
If you're looking to manage multiple versions of Node.js
&/or npm
, consider using a node version manager
Usage
1npm <command>
Links & Resources
- Documentation - Official docs & how-tos for all things npm
- Note: you can also search docs locally with
npm help-search <query>
- Note: you can also search docs locally with
- Bug Tracker - Search or submit bugs against the CLI
- Roadmap - Track & follow along with our public roadmap
- Community Feedback and Discussions - Contribute ideas & discussion around the npm registry, website & CLI
- RFCs - Contribute ideas & specifications for the API/design of the npm CLI
- Service Status - Monitor the current status & see incident reports for the website & registry
- Project Status - See the health of all our maintained OSS projects in one view
- Events Calendar - Keep track of our Open RFC calls, releases, meetups, conferences & more
- Support - Experiencing problems with the npm website or registry? File a ticket here
Acknowledgments
npm
is configured to use the npm Public Registry at https://registry.npmjs.org by default; Usage of this registry is subject to Terms of Use available at https://npmjs.com/policies/terms- You can configure
npm
to use any other compatible registry you prefer. You can read more about configuring third-party registries here
FAQ on Branding
Is it "npm" or "NPM" or "Npm"?
npm
should never be capitalized unless it is being displayed in a location that is customarily all-capitals (ex. titles on man
pages).
Is "npm" an acronym for "Node Package Manager"?
Contrary to popular belief, npm
is not in fact an acronym for "Node Package Manager"; It is a recursive bacronymic abbreviation for "npm is not an acronym" (if the project was named "ninaa", then it would be an acronym). The precursor to npm
was actually a bash utility named "pm", which was the shortform name of "pkgmakeinst" - a bash function that installed various things on various platforms. If npm
were to ever have been considered an acronym, it would be as "node pm" or, potentially "new pm".
Stable Version
The latest stable version of the package.
Stable Version
8.0.0
HIGH
2
8.2/10
Summary
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
Affected Versions
< 2.8.2
Patched Versions
2.8.2
8.2/10
Summary
@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following
Affected Versions
< 2.8.2
Patched Versions
2.8.2
Reason
all changesets reviewed
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:23
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:24
- Warn: no topLevel permission defined: .github/workflows/audit.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmaccess.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmdiff.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmexec.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmfund.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmorg.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmpack.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmpublish.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmsearch.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmteam.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-libnpmversion.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-npmcli-arborist.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-npmcli-config.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-npmcli-docs.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-npmcli-mock-globals.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-npmcli-mock-registry.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-npmcli-smoke-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: no topLevel permission defined: .github/workflows/create-node-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/node-integration.yml:1
- Warn: no topLevel permission defined: .github/workflows/pull-request.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-integration.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:12
- Warn: topLevel 'checks' permission set to 'write': .github/workflows/release.yml:14
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/audit.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/audit.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmaccess.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmaccess.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmaccess.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmaccess.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmaccess.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmaccess.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmaccess.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmaccess.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmdiff.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmdiff.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmdiff.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmdiff.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmdiff.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmdiff.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmdiff.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmdiff.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmexec.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmexec.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmexec.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmexec.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmexec.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmexec.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmexec.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmexec.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmfund.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmfund.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmfund.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmfund.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmfund.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmfund.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmfund.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmfund.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmorg.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmorg.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmorg.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmorg.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmorg.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmorg.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmorg.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmorg.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpack.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpack.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpack.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpack.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpack.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpack.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpack.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpack.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpublish.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpublish.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpublish.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpublish.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpublish.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpublish.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpublish.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpublish.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmsearch.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmsearch.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmsearch.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmsearch.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmsearch.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmsearch.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmsearch.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmsearch.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmteam.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmteam.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmteam.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmteam.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmteam.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmteam.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmteam.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmteam.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmversion.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmversion.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmversion.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmversion.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmversion.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmversion.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmversion.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmversion.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-arborist.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-arborist.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-arborist.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-arborist.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-arborist.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-arborist.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-arborist.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-arborist.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-config.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-config.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-config.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-config.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-config.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-config.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-config.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-config.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:121: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-globals.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-globals.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-globals.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-globals.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-globals.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-globals.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-globals.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-globals.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-registry.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-registry.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-registry.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-registry.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-registry.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-registry.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-registry.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-registry.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-smoke-tests.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-smoke-tests.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-smoke-tests.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-smoke-tests.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-smoke-tests.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-smoke-tests.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-smoke-tests.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-smoke-tests.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:189: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:202: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:158: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:164: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:187: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:204: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:206: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/codeql-analysis.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/codeql-analysis.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/codeql-analysis.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-node-pr.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/create-node-pr.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-node-pr.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/create-node-pr.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-node-pr.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/create-node-pr.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-integration.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:140: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-integration.yml:155: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:176: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:251: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:364: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:379: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/pull-request.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/pull-request.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:217: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:235: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:269: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:278: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:298: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:198: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/node-integration.yml:248
- Warn: npmCommand not pinned by hash: .github/workflows/node-integration.yml:410
- Info: 0 out of 106 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 16 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
98 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-rf66-hmqf-q3fc
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-hgqx-r2hp-jr38
- Warn: Project is vulnerable to: GHSA-v65r-p3vv-jjfv
- Warn: Project is vulnerable to: GHSA-v626-r774-j7f8
- Warn: Project is vulnerable to: GHSA-438c-3975-5x3f
- Warn: Project is vulnerable to: GHSA-9hcv-j9pv-qmph
- Warn: Project is vulnerable to: GHSA-w9jx-4g6g-rp7x
- Warn: Project is vulnerable to: GHSA-5359-pvf2-pw78
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-m95q-7qp3-xv42
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6
- Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9
- Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f
- Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p
- Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv
- Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8
- Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65
- Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh
- Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
- Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
- Warn: Project is vulnerable to: GHSA-c429-5p7v-vgjp
- Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
- Warn: Project is vulnerable to: GHSA-pfq8-rq6v-vf5m
- Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
- Warn: Project is vulnerable to: GHSA-6c8f-qphg-qjgp
- Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
- Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
- Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m / GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-fhjf-83wg-r2j9
- Warn: Project is vulnerable to: GHSA-w7rc-rwvf-8q5r
- Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
- Warn: Project is vulnerable to: GHSA-86mr-6m89-vgj3
- Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9
- Warn: Project is vulnerable to: GHSA-f3vw-587g-r29g
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-4g88-fppr-53pp
- Warn: Project is vulnerable to: GHSA-4jqc-8m5r-9rpr
- Warn: Project is vulnerable to: GHSA-2mvq-xp48-4c77
- Warn: Project is vulnerable to: GHSA-5854-jvxx-2cg9
- Warn: Project is vulnerable to: GHSA-g64q-3vg8-8f93
- Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
- Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
- Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
- Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
- Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
- Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
- Warn: Project is vulnerable to: GHSA-h6ch-v84p-w6p9
- Warn: Project is vulnerable to: GHSA-8r6j-v8pm-fqw3
- Warn: Project is vulnerable to: MAL-2023-462
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-6chw-6frg-f759
- Warn: Project is vulnerable to: GHSA-2pr6-76vf-7546
- Warn: Project is vulnerable to: GHSA-8j8c-7jfh-h6hx
- Warn: Project is vulnerable to: GHSA-cwfw-4gq5-mrqx
- Warn: Project is vulnerable to: GHSA-g95f-p29q-9xw4
- Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
- Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
- Warn: Project is vulnerable to: GHSA-6g33-f262-xjp4
- Warn: Project is vulnerable to: GHSA-662x-fhqg-9p8v
- Warn: Project is vulnerable to: GHSA-394c-5j6w-4xmx
- Warn: Project is vulnerable to: GHSA-78cj-fxph-m83p
- Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3
Score
6.2
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn MoreOther packages similar to @npmcli/arborist
@types/npmcli__arborist
TypeScript definitions for @npmcli/arborist
@npmcli/query
npm query parser and tools
npm-audit-report
Given a response from the npm security api, render it into a variety of security reports
@npmcli/metavuln-calculator
Calculate meta-vulnerabilities from package security advisories