Installations
npm install @pnpm/license-scannerDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Min. Node Version
>=18.12
Node Version
20.18.1
NPM Version
10.8.2
Score
52.7
Supply Chain
67.2
Quality
94.4
Maintenance
100
Vulnerability
98.6
License
Releases
977
Contributors
309
Languages
4
TypeScript
JavaScript
Shell
Batchfile
TypeScript (99.41%)
JavaScript (0.52%)
Shell (0.05%)
Batchfile (0.02%)
Developer
Download Statistics
Total Downloads
21,817
Last Day
9
Last Week
179
Last Month
755
Last Year
11,564
GitHub Statistics
30,644 Stars
9,487 Commits
1,061 Forks
143 Watching
264 Branches
309 Contributors
Sponsor this package
Maintainers
2
Package Meta Information
Latest Version
1001.0.5
Package Id
@pnpm/license-scanner@1001.0.5
Unpacked Size
38.37 kB
Size
10.49 kB
File Count
14
NPM Version
10.8.2
Node Version
20.18.1
Publised On
26 Jan 2025
Total Downloads
Cumulative downloads
Total Downloads
21,817
Last day
-59.1%
9
Compared to previous day
Last week
115.7%
179
Compared to previous week
Last month
37%
755
Compared to previous month
Last year
23.4%
11,564
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
17
Peer Dependencies
1
Versions
@pnpm/license-scanner
Check for the license of packages
Installation
1pnpm add @pnpm/license-scanner
License
No vulnerabilities found.
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:29
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:30
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:14
- Info: topLevel 'contents' permission set to 'read': .github/workflows/audit.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:24
- Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:9
- Info: found token with 'none' permissions: .github/workflows/update-latest.yml:1
Reason
30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
no binaries found in the repo
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 17 commits out of 19 are checked with a SAST tool
Reason
Found 17/30 approved changesets -- score normalized to 5
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact v10.1.0 not signed: https://api.github.com/repos/pnpm/pnpm/releases/196842534
- Warn: release artifact v9.15.4 not signed: https://api.github.com/repos/pnpm/pnpm/releases/194473764
- Warn: release artifact v10.0.0 not signed: https://api.github.com/repos/pnpm/pnpm/releases/193511053
- Warn: release artifact v10.0.0-rc.3 not signed: https://api.github.com/repos/pnpm/pnpm/releases/193205597
- Warn: release artifact v9.15.3 not signed: https://api.github.com/repos/pnpm/pnpm/releases/193225276
- Warn: release artifact v10.1.0 does not have provenance: https://api.github.com/repos/pnpm/pnpm/releases/196842534
- Warn: release artifact v9.15.4 does not have provenance: https://api.github.com/repos/pnpm/pnpm/releases/194473764
- Warn: release artifact v10.0.0 does not have provenance: https://api.github.com/repos/pnpm/pnpm/releases/193511053
- Warn: release artifact v10.0.0-rc.3 does not have provenance: https://api.github.com/repos/pnpm/pnpm/releases/193205597
- Warn: release artifact v9.15.3 does not have provenance: https://api.github.com/repos/pnpm/pnpm/releases/193225276
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/audit.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/audit.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-latest.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-latest.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/pnpm/pnpm/update-latest.yml/main?enable=pin
- Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 7 third-party GitHubAction dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
114 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-29xr-v42j-r956
- Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
- Warn: Project is vulnerable to: GHSA-42xw-2xvc-qx8m
- Warn: Project is vulnerable to: GHSA-4w2v-q235-vp99
- Warn: Project is vulnerable to: GHSA-cph5-m8f7-6c5x
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-pp7h-53gx-mx7r
- Warn: Project is vulnerable to: GHSA-cwfw-4gq5-mrqx
- Warn: Project is vulnerable to: GHSA-g95f-p29q-9xw4
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-9j49-mfvp-vmhm
- Warn: Project is vulnerable to: GHSA-j4f2-536g-r55m
- Warn: Project is vulnerable to: GHSA-r7qp-cfhv-p84w
- Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
- Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-8r6j-v8pm-fqw3
- Warn: Project is vulnerable to: MAL-2023-462
- Warn: Project is vulnerable to: GHSA-44pw-h2cw-w3vq
- Warn: Project is vulnerable to: GHSA-jp4x-w63m-7wgm
- Warn: Project is vulnerable to: GHSA-c429-5p7v-vgjp
- Warn: Project is vulnerable to: GHSA-6x33-pw7p-hmpq
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-282f-qqgm-c34q
- Warn: Project is vulnerable to: GHSA-7x7c-qm48-pq9c
- Warn: Project is vulnerable to: GHSA-rc3x-jf5g-xvc5
- Warn: Project is vulnerable to: GHSA-6c8f-qphg-qjgp
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-82v2-mx6x-wq7q
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-4c7m-wxvm-r7gc
- Warn: Project is vulnerable to: GHSA-pch5-whg9-qr2r
- Warn: Project is vulnerable to: GHSA-48ww-j4fc-435p
- Warn: Project is vulnerable to: GHSA-hwqf-gcqm-7353
- Warn: Project is vulnerable to: GHSA-9h6g-pr28-7cqp
- Warn: Project is vulnerable to: GHSA-6fx8-h7jm-663j
- Warn: Project is vulnerable to: GHSA-35q2-47q7-3pc3
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-hjp8-2cm3-cc45
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-fxwf-4rqh-v8g3
- Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
- Warn: Project is vulnerable to: GHSA-xfhh-g9f5-x4m4
- Warn: Project is vulnerable to: GHSA-qm95-pgcg-qqfq
- Warn: Project is vulnerable to: GHSA-cqmj-92xf-r6r9
- Warn: Project is vulnerable to: GHSA-38h8-x697-gh8q
- Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
- Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
- Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-f523-2f5j-gfcg
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-xc7v-wxcw-j472
- Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq
- Warn: Project is vulnerable to: GHSA-9m6j-fcg5-2442
- Warn: Project is vulnerable to: GHSA-hh27-ffr2-f2jc
- Warn: Project is vulnerable to: GHSA-rqff-837h-mm52
- Warn: Project is vulnerable to: GHSA-8v38-pw62-9cw2
- Warn: Project is vulnerable to: GHSA-hgjh-723h-mx2j
- Warn: Project is vulnerable to: GHSA-jf5r-8hm2-f872
- Warn: Project is vulnerable to: GHSA-mgfv-m47x-4wqp
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-72mh-269x-7mh5
- Warn: Project is vulnerable to: GHSA-h4j5-c7cj-74xg
- Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
- Warn: Project is vulnerable to: GHSA-gpvr-g6gh-9mc2
- Warn: Project is vulnerable to: GHSA-cm5g-3pgc-8rg4
- Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
- Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
- Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
- Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
- Warn: Project is vulnerable to: GHSA-w9mr-4mfr-499f
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-832h-xg76-4gv6
- Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5
- Warn: Project is vulnerable to: GHSA-3fw8-66wf-pr7m
- Warn: Project is vulnerable to: GHSA-6w62-83g6-rfhj
- Warn: Project is vulnerable to: GHSA-rch9-xh7r-mqgw
- Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
- Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
- Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
- Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
- Warn: Project is vulnerable to: GHSA-wrvr-8mpx-r7pp
- Warn: Project is vulnerable to: GHSA-f9cm-p3w6-xvr3
- Warn: Project is vulnerable to: GHSA-jjv7-qpx3-h62q
- Warn: Project is vulnerable to: GHSA-gqgv-6jq5-jjj9
- Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
Score
6
/10
Last Scanned on 2025-01-27
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More