Gathering detailed insights and metrics for audit-ci
Gathering detailed insights and metrics for audit-ci
Audit NPM, Yarn, PNPM, and Bun dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advisories
Installations
npm install audit-ciDeveloper
IBM
Developer Guide
BETA
Module System
ESM
Min. Node Version
>=16
Typescript Support
Yes
Node Version
18.20.3
NPM Version
10.7.0
Statistics
264 Stars
479 Commits
43 Forks
8 Watching
1 Branches
37 Contributors
Updated on 27 Nov 2024
Languages
TypeScript (99.48%)
JavaScript (0.52%)
Total Downloads
Cumulative downloads
Total Downloads
26,416,134
Last day
-19.4%
28,297
Compared to previous day
Last week
-4.6%
174,677
Compared to previous week
Last month
4.4%
766,044
Compared to previous month
Last year
24.8%
8,015,553
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
9
Dev Dependencies
23
@tsconfig/node18@types/cross-spawn@types/event-stream@types/jju@types/jsonstream-next@types/node@types/readline-transform@types/semver@types/yargs@typescript-eslint/eslint-plugin@typescript-eslint/parser@vitest/coverage-v8audit-typesconcurrentlyeslinteslint-config-prettiereslint-plugin-importeslint-plugin-unicornprettierts-json-schema-generatortsuptypescriptvitest
Versions
audit-ci
This module is intended to be consumed by your favourite continuous integration tool to
halt execution if npm audit, yarn audit, or pnpm audit finds vulnerabilities at or above the specified
threshold while ignoring allowlisted advisories.
Note: Use our codemod to update to
audit-civ6.0.0
Requirements
- Node >=16
- (Optional) Yarn ^1.12.3 || Yarn >=2.4.0 && <4.0.0
- (Optional) PNPM >=4.3.0
- (Optional) Bun
Limitations
- Yarn Classic workspaces does not audit
devDependencies. See this issue for more information. - Yarn v4 is not supported because it provides similar functionality to
audit-ci. For more information, see the documentation onyarn npm audit. If you'd likeaudit-cito support Yarn v4, voice your opinion on this issue. - Bun is supported by exporting the
bun.lockbinto a Yarn v1yarn.lockfile. Accordingly, auditing abun.lockbfile withaudit-cirequires Yarn v1.
Set up
(Recommended) Install audit-ci during your CI environment using npx, yarn dlx, or pnpm dlx immediately after checking out the project's repository.
1# Use the option for your project's package manager, pinning to a major version to avoid breaking changes 2npx audit-ci@^7 --config ./audit-ci.jsonc 3yarn dlx audit-ci@^7 --config ./audit-ci.jsonc 4pnpm dlx audit-ci@^7 --config ./audit-ci.jsonc
Alternatively, audit-ci can be installed as a devDependency.
The downside of this approach is that the CI may run a postinstall script of a compromised package before running audit-ci.
1# Use the option for your project's package manager 2npm install -D audit-ci 3yarn add -D audit-ci 4pnpm install -D audit-ci 5bun install -D audit-ci
The next section gives examples using audit-ci in various CI environments.
It assumes moderate, high, and critical severity vulnerabilities prevent build continuation.
Also, it suppresses an advisory of axios and a transitive advisory of react-scripts.
1// audit-ci.jsonc 2{ 3 // $schema provides code completion hints to IDEs. 4 "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 5 "moderate": true, 6 "allowlist": [ 7 // Axios denial of service https://github.com/advisories/GHSA-42xw-2xvc-qx8m 8 "GHSA-42xw-2xvc-qx8m", 9 // The following are for the latest create-react-app 10 // https://github.com/advisories/GHSA-rp65-9cf3-cjxr 11 // Alternatively, allowlist "GHSA-rp65-9cf3-cjxr" to suppress this nth-check advisory across all paths 12 // or "*|react-scripts>*" to suppress advisories for all transitive dependencies of "react-scripts". 13 "GHSA-rp65-9cf3-cjxr|react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check", 14 ], 15}
Bun
Bun supports exporting the bun.lockb into a Yarn v1 yarn.lock file.
1bun install -y
Afterwards, you can run audit-ci with the yarn package manager.
Allowlisting
Allowlists are a mechanism to suppress an advisory warning from the audit. A team may want to suppress an advisory when:
- A fix has already been started
- There is no bandwidth to fix the advisory
- The risk is tolerable for the project
- The advisory is inaccurate or incorrect
- The vulnerable code is not actually used
An allowlist may contain multiple allowlist records. There are three categories of allowlist record formats:
moduleallowlist record (example:axios, suppresses all advisories directly caused byaxios, not transitive advisories)advisoryallowlist record (example:GHSA-42xw-2xvc-qx8m, suppresses all instances of advisory based on the GitHub advisory identifier)pathallowlist record (example:GHSA-rp65-9cf3-cjxr|react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check, the specific and full advisory path with wildcard support)
When audit-ci identifies new advisories at or above the configured level, the CI pipeline will fail.
1Found vulnerable advisory paths: 2GHSA-pw2r-vq6v-hr8c|axios>follow-redirects 3GHSA-74fj-2j2h-c42q|axios>follow-redirects 4GHSA-4w2v-q235-vp99|axios 5GHSA-42xw-2xvc-qx8m|axios 6GHSA-cph5-m8f7-6c5x|axios 7Failed security audit due to high, moderate vulnerabilities. 8Vulnerable advisories are: 9https://github.com/advisories/GHSA-pw2r-vq6v-hr8c 10https://github.com/advisories/GHSA-74fj-2j2h-c42q 11https://github.com/advisories/GHSA-4w2v-q235-vp99 12https://github.com/advisories/GHSA-42xw-2xvc-qx8m 13https://github.com/advisories/GHSA-cph5-m8f7-6c5x 14Exiting...
Advisories can be suppressed using several approaches. Each approach is useful in unique scenarios.
First, the most granular and secure approach, using paths. If in the future the same advisory arises with a different path, the pipeline will fail.
1"allowlist": [ 2 "GHSA-pw2r-vq6v-hr8c|axios>follow-redirects", 3 "GHSA-74fj-2j2h-c42q|axios>follow-redirects", 4 "GHSA-4w2v-q235-vp99|axios", 5 "GHSA-42xw-2xvc-qx8m|axios", 6 "GHSA-cph5-m8f7-6c5x|axios" 7]
The next best approach is suppressing the advisories using advisory IDs. This approach may be useful if your team knows that the application is not (and will not be) affected by the advisory regardless of the path. Often, the same advisory can be present in many paths. Allowlisting by advisory ID is terser than the alternative of listing all paths.
1"allowlist": [ 2 "GHSA-pw2r-vq6v-hr8c", 3 "GHSA-74fj-2j2h-c42q", 4 "GHSA-4w2v-q235-vp99", 5 "GHSA-42xw-2xvc-qx8m", 6 "GHSA-cph5-m8f7-6c5x" 7]
The next approach is to allowlist the modules themselves. All current and future advisories are automatically suppressed when using module allowlist records. Compared to other suppression approaches, there's an increased risk of a new advisory impacting your application due to the broad suppression. Suppressing via a module allowlist record is often less useful than using path allowlist records + wildcards, as noted in the final approach.
1"allowlist": [ 2 "axios", 3 "follow-redirects" 4]
Finally, wildcards can be used within path allowlist records. Wildcards are useful for trusted development-only dependencies such as react-scripts. Unlike the module allowlist record of react-scripts, the path allowlist of *|react-scripts>* suppresses transitive dependency advisories (dependencies of dependencies).
Wildcard matching works by:
- splitting the allowlist record at every wildcard
- constructing a regex matching anything at each wildcard location
An allowlist record may include any number of wildcards such as *|react-scripts>*>*>example>*.
Allowlist Formats
The simplest way to add an advisory to the allowlist is using a string:
1"allowlist": [ 2 "axios" 3]
You can also use an object notation (NSPRecord) in which you can add notes and control the expiration of this exception:
1"allowlist": [ 2 { 3 "axios": { 4 "active": true, 5 "notes": "Ignore this until November 20th", 6 "expiry": "20 November 2022 11:00" 7 } 8 } 9]
allowlist supports both formats at the same time, so feel free to mix and match:
1"allowlist": [ 2 { 3 "axios": { 4 "active": true, 5 "notes": "Ignore this until November 20th", 6 "expiry": "20 November 2022 11:00" 7 } 8 }, 9 "base64url" 10]
NSPRecord Fields
| Attribute | Type | Description | Example |
|---|---|---|---|
active | boolean | Whether the exception is active or not | true |
expiry | string | number | Human-readable date, or milliseconds since the UNIX Epoch | - '2020-01-31' - '2020/01/31' - '01/31/2021, 11:03:58' - '1 March 2016 15:00' - '1 March 2016 3:00 pm' - '2012-01-26T13:51:50.417-07:00' - 'Sun, 11 Jul 2021 03:03:13 GMT' - 'Thu Jan 26 2017 11:00:00 GMT+1100 (Australian Eastern Daylight Time)' - 327611110417 |
notes | string | Notes related to the vulnerability. |
GitHub Actions
1steps: 2 - uses: actions/checkout@v2 3 - name: Audit for vulnerabilities 4 run: npx audit-ci@^7 --config ./audit-ci.jsonc
(Recommended) Run audit-ci immediately after checking out the git repository to reduce the risk of executing a postinstall script from a compromised NPM package.
CircleCI
1# ... excludes set up for job 2steps: 3 - checkout 4 - run: 5 name: update-npm 6 command: "sudo npm install -g npm" 7 - restore_cache: 8 key: dependency-cache-{{ checksum "package.json" }} 9 # This should run immediately after cloning 10 # the risk of executing a script from a compromised NPM package. 11 # If you use a pull-request-only workflow, 12 # it's better to not run audit-ci on `main` and only run it on pull requests. 13 # For more info: https://github.com/IBM/audit-ci/issues/69 14 # For a PR-only workflow, use the below command instead of the above command: 15 # 16 # command: if [[ ! -z $CIRCLE_PULL_REQUEST ]] ; then npx audit-ci --config ./audit-ci.jsonc ; fi 17 - run: 18 name: run-audit-ci 19 command: npx audit-ci@^7 --config ./audit-ci.jsonc 20 - run: 21 name: install-npm 22 command: "npm install --no-audit"
Travis-CI
Auditing only on PR builds is recommended
1scripts: 2 # This script should be the first that runs to reduce the risk of 3 # executing a script from a compromised NPM package. 4 - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci@^7 --config ./audit-ci.jsonc; fi
For Travis-CI not using PR builds:
1scripts: 2 - npx audit-ci@^7 --config ./audit-ci.jsonc
Options
(Recommended) Prefer to use a JSONC or JSON5 config file for
audit-ciover managing your config with CLI arguments. Using a config file supports workflows such as documenting your allowlist, centralized and easier config management, and code completion when using the$schemafield.
| Args | Alias | Description |
|---|---|---|
| -l | --low | Prevents integration with low or higher vulnerabilities (default false) |
| -m | --moderate | Prevents integration with moderate or higher vulnerabilities (default false) |
| -h | --high | Prevents integration with high or critical vulnerabilities (default false) |
| -c | --critical | Prevents integration only with critical vulnerabilities (default false) |
| -p | --package-manager | Choose a package manager [choices: auto, npm, yarn, pnpm] (default auto) |
| -a | --allowlist | Vulnerable modules, advisories, and paths to allowlist from preventing integration (default none) |
| -o | --output-format | The format of the output of audit-ci [choices: text, json] (default text) |
| -d | --directory | The directory containing the package.json to audit (default ./) |
| --pass-enoaudit | Pass if no audit is performed due to the registry returning ENOAUDIT (default false) | |
| --show-found | Show allowlisted advisories that are found (default true) | |
| --show-not-found | Show allowlisted advisories that are not found (default true) | |
| --registry | The registry to resolve packages by name and version for auditing (default to unspecified) | |
| --report-type | Format for the audit report results [choices: important, summary, full] (default important) | |
| --retry-count | The number of attempts audit-ci calls an unavailable registry before failing (default 5) | |
| --config | Path to the audit-ci configuration file | |
| --skip-dev | Skip auditing devDependencies (default false) | |
| --extra-args | Extra arguments to pass to the underlying audit command (default: []) |
Config file specification
A config file can manage auditing preferences for audit-ci. The config file's keys match the CLI arguments.
1{ 2 "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 3 // Only use one of ["low": true, "moderate": true, "high": true, "critical": true] 4 "low": <boolean>, // [Optional] defaults `false` 5 "moderate": <boolean>, // [Optional] defaults `false` 6 "high": <boolean>, // [Optional] defaults `false` 7 "critical": <boolean>, // [Optional] defaults `false` 8 "allowlist": <(string | [NSPRecord](#nsprecord-fields))[]>, // [Optional] default `[]` 9 "report-type": <string>, // [Optional] defaults `important` 10 "package-manager": <string>, // [Optional] defaults `"auto"` 11 "output-format": <string>, // [Optional] defaults `"text"` 12 "pass-enoaudit": <boolean>, // [Optional] defaults `false` 13 "show-found": <boolean>, // [Optional] defaults `true` 14 "show-not-found": <boolean>, // [Optional] defaults `true` 15 "registry": <string>, // [Optional] defaults `undefined` 16 "retry-count": <number>, // [Optional] defaults 5 17 "skip-dev": <boolean>, // [Optional] defaults `false` 18 "extra-args": <string>[] // [Optional] defaults `[]` 19}
Refrain from using
"directory"within the config file becausedirectoryis relative to where the command is run, rather than the directory where the config file exists.
Examples
Prevents build on moderate, high, or critical vulnerabilities with allowlist; ignores low
With a JSONC config file, execute with npx audit-ci --config ./audit-ci.jsonc.
1// audit-ci.jsonc 2{ 3 // $schema provides code completion hints to IDEs. 4 "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 5 "moderate": true, 6 "allowlist": [ 7 // Axios denial of service https://github.com/advisories/GHSA-42xw-2xvc-qx8m 8 "GHSA-42xw-2xvc-qx8m", 9 // The following are for the latest create-react-app 10 // https://github.com/advisories/GHSA-rp65-9cf3-cjxr 11 // Alternatively, allowlist "GHSA-rp65-9cf3-cjxr" to suppress this nth-check advisory across all paths 12 // or "*|react-scripts>*" to suppress advisories for all transitive dependencies of "react-scripts". 13 "GHSA-rp65-9cf3-cjxr|react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check", 14 ], 15}
Or, with the CLI:
1npx audit-ci -m -a "GHSA-42xw-2xvc-qx8m" "GHSA-rp65-9cf3-cjxr|react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check"
Prevents build on any vulnerability except advisory "GHSA-38f5-ghc2-fcmv" and all of lodash and base64url, don't show allowlisted
With a JSON5 config file:
1// JSON5 files support trailing commas and more succinct syntax than JSONC files. 2{ 3 $schema: "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 4 low: true, 5 allowlist: ["GHSA-38f5-ghc2-fcmv", "lodash", "base64url"], 6 "show-found": false, 7}
Or, with the CLI with yarn dlx:
1yarn dlx audit-ci@^7 -l -a "GHSA-38f5-ghc2-fcmv" lodash base64url --show-found false
Prevents build with critical vulnerabilities showing the full report
With a JSONC config file:
1{ 2 "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 3 "critical": true, 4 "report-type": "full", 5}
Or, with the CLI with pnpm dlx:
1pnpm dlx audit-ci@^7 --critical --report-type full
Continues build regardless of vulnerabilities, but show the summary report
With a JSONC config file:
1{ 2 "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 3 "report-type": "summary", 4}
Or, with the CLI:
1npx audit-ci@^7 --report-type summary
Pass additional args to Yarn Berry to exclude a certain package from audit
With a JSONC config file, in a project on Yarn Berry v3.3.0 or later:
1{ 2 "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 3 "extra-args": ["--exclude", "example"], 4}
Or, with the CLI:
1npx audit-ci@^7 --extra-args '\--exclude' example
Example config file and different directory usage
test/npm-config-file/audit-ci.jsonc
1{ 2 "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 3 "low": true, 4 "package-manager": "auto", 5 "allowlist": [ 6 "GHSA-333w-rxj3-f55r", 7 "GHSA-vfvf-mqq8-rwqc", 8 "example1", 9 "example2", 10 "GHSA-6354-6mhv-mvv5|example3", 11 "GHSA-42xw-2xvc-qx8m|example4", 12 "GHSA-42xw-2xvc-qx8m|example5>example4", 13 "*|example6>*", 14 ], 15 "registry": "https://registry.npmjs.org", 16}
1npx audit-ci@^7 --directory test/npm-config-file --config test/npm-config-file/audit-ci.jsonc
test/pnpm-config-file/audit-ci.json5
1{ 2 $schema: "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", 3 moderate: true, 4 "package-manager": "pnpm", 5 allowlist: [ 6 "GHSA-vfvf-mqq8-rwqc", 7 "example2", 8 "GHSA-6354-6mhv-mvv5|example3", 9 "GHSA-42xw-2xvc-qx8m|example5>example4", 10 "*|example6>*", 11 ], 12}
1npx audit-ci@^7 --directory test/pnpm-config-file --config test/pnpm-config-file/audit-ci.json5
Codemod
1npx @quinnturner/audit-ci-codemod
https://github.com/quinnturner/audit-ci-codemod
audit-ci v6.0.0 changed the identifiers used for auditing from the NPM identifiers to GitHub identifiers.
NPM identifiers are considered unstable to rely on, as they frequently change.
Meanwhile, GitHub identifiers are stable.
To accommodate for a potentially tedious migration, a codemod is available to update your configuration in-place.
1$ npx @quinnturner/audit-ci-codemod 2Need to install the following packages: 3 @quinnturner/audit-ci-codemod 4Ok to proceed? (y) y 5? What's the path for the audit-ci config? audit-ci.jsonc 6Performed migration from advisories, whitelist, and path-whitelist to allowlist 7Performed migration from NPM advisories to GitHub advisories
Q&A
Why run audit-ci on PR builds for Travis-CI and not the push builds?
If audit-ci is run on the PR build and not on the push build, you can continue to push new code and create PRs parallel to the actual vulnerability fix.
However, they can't be merged until the fix is implemented.
Since audit-ci performs the audit on the PR build,
it will always have the most up-to-date dependencies vs. the push build, which would require a manual merge with main before passing the audit.
What do I do when NPM/Yarn is breaking my build while returning ENOAUDIT?
The config option --pass-enoaudit allows passing if no audit is performed due to the registry returning ENOAUDIT.
It is false by default to reduce the risk of merging in a vulnerable package.
However, if the convenience of passing is more important for your project then you can add --pass-enoaudit into the CLI or add it to the config.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: required approving review count is 1 on branch 'main'
- Warn: codeowners review is not required on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Info: PRs are required in order to make changes on branch 'main'
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 11 commits out of 30 are checked with a SAST tool
Reason
Found 8/28 approved changesets -- score normalized to 2
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/IBM/audit-ci/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/IBM/audit-ci/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/IBM/audit-ci/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/IBM/audit-ci/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/IBM/audit-ci/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/IBM/audit-ci/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npmpublish.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/IBM/audit-ci/npmpublish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npmpublish.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/IBM/audit-ci/npmpublish.yml/main?enable=pin
- Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned
- Info: 2 out of 2 npmCommand dependencies pinned
Reason
0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29
- Warn: no topLevel permission defined: .github/workflows/build.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: no topLevel permission defined: .github/workflows/npmpublish.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
28 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-64vr-g452-qvp3
- Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx
- Warn: Project is vulnerable to: GHSA-42xw-2xvc-qx8m
- Warn: Project is vulnerable to: GHSA-4w2v-q235-vp99
- Warn: Project is vulnerable to: GHSA-cph5-m8f7-6c5x
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
- Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-28xh-wpgr-7fm8
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-c6rq-rjc2-86v2
- Warn: Project is vulnerable to: GHSA-rvg8-pwq2-xj7q
- Warn: Project is vulnerable to: GHSA-38f5-ghc2-fcmv
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-xf5p-87ch-gxw2
- Warn: Project is vulnerable to: GHSA-5v2h-r2cx-5xgj
- Warn: Project is vulnerable to: GHSA-rrrm-qjm4-v8hf
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-mxhp-79qh-mcx6
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Score
4
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More