npmpackage.info

Gathering detailed insights and metrics for npm

Other packages similar to npm

@pnpm/npm-conf

2.3.1

Get the npm config

npm-conf

1.1.3

Get the npm config

npm-registry-utilities

1.0.0

npm registry utikities

npm-user-validate

3.0.0

User validations for npm

Gathering detailed insights and metrics for npm

npm

the package manager for JavaScript

10.9.1

8,524

NOASSERTION

JavaScript

2.71 kB

1,259,985,722 6.2

Installations

npm install npm

Pull Requests

Open

44

Total

2,749

Closed

1,031

Merged

1,674

Issues

Open

626

Total

4,746

Closed

4,120

Releases

740

libnpmversion: v8.0.0-pre.0

libnpmversion-v8.0.0-pre.0

Published on 26 Nov 2024

libnpmteam: v8.0.0-pre.0

libnpmteam-v8.0.0-pre.0

Published on 26 Nov 2024

libnpmsearch: v9.0.0-pre.0

libnpmsearch-v9.0.0-pre.0

Published on 26 Nov 2024

libnpmpublish: v11.0.0-pre.0

libnpmpublish-v11.0.0-pre.0

Published on 26 Nov 2024

libnpmpack: v9.0.0-pre.0

libnpmpack-v9.0.0-pre.0

Published on 26 Nov 2024

libnpmorg: v8.0.0-pre.0

libnpmorg-v8.0.0-pre.0

Published on 26 Nov 2024

View all 740 releases

Developer

npm

Developer Guide

BETA

Module System

CommonJS, ESM

Min. Node Version

^18.17.0 || >=20.5.0

Typescript Support

No

Node Version

22.11.0

NPM Version

10.9.1 Statistics

8,524 Stars

12,623 Commits

3,194 Forks

220 Watching

23 Branches

920 Contributors

Updated on 28 Nov 2024

Bundle Size

6.92 kB

Minified

2.71 kB

Minified + Gzipped

Bundlephobia

Languages

JavaScript (99.72%)

Handlebars (0.17%)

Shell (0.08%)

Batchfile (0.01%)

PowerShell (0.01%)

Total Downloads

Cumulative downloads

Total Downloads

1,259,985,722

Last day

-6.9%

1,286,308

Compared to previous day

Last week

8.2%

7,745,235

Compared to previous week

Last month

15.3%

29,473,633

Compared to previous month

Last year

12.7%

286,442,502

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

ms ini tar glob nopt read ssri archy chalk p-map which abbrev pacote semver cacache ci-info is-cidr minipass node-gyp proc-log libnpmorg minimatch treeverse @npmcli/fs libnpmdiff libnpmexec libnpmfund libnpmhook libnpmpack libnpmteam text-table cli-columns fs-minipass graceful-fs npm-profile libnpmaccess libnpmsearch @sigstore/tuf libnpmpublish libnpmversion @npmcli/config @npmcli/redact supports-color hosted-git-info npm-package-arg qrcode-terminal @npmcli/arborist npm-audit-report init-package-json make-fetch-happen minipass-pipeline npm-pick-manifest npm-user-validate write-file-atomic @npmcli/run-script npm-install-checks npm-registry-fetch tiny-relative-date fastest-levenshtein parse-conflict-json @npmcli/package-json @npmcli/promise-spawn spdx-expression-parse @npmcli/map-workspaces normalize-package-data validate-npm-package-name @isaacs/string-locale-compare json-parse-even-better-errors

Dev Dependencies

Versions

npm - a JavaScript package manager

Requirements

One of the following versions of Node.js must be installed to run npm:

18.x.x >= 18.17.0
20.5.0 or higher

Installation

npm comes bundled with node, & most third-party distributions, by default. Officially supported downloads/distributions can be found at: nodejs.org/en/download

Direct Download

You can download & install npm directly from npmjs.com using our custom install.sh script:

1curl -qL https://www.npmjs.com/install.sh | sh

Node Version Managers

If you're looking to manage multiple versions of Node.js &/or npm, consider using a node version manager

Usage

1npm <command>

Links & Resources

Documentation - Official docs & how-tos for all things npm
- Note: you can also search docs locally with npm help-search <query>
Bug Tracker - Search or submit bugs against the CLI
Roadmap - Track & follow along with our public roadmap
Community Feedback and Discussions - Contribute ideas & discussion around the npm registry, website & CLI
RFCs - Contribute ideas & specifications for the API/design of the npm CLI
Service Status - Monitor the current status & see incident reports for the website & registry
Project Status - See the health of all our maintained OSS projects in one view
Events Calendar - Keep track of our Open RFC calls, releases, meetups, conferences & more
Support - Experiencing problems with the npm website or registry? File a ticket here

Acknowledgments

npm is configured to use the npm Public Registry at https://registry.npmjs.org by default; Usage of this registry is subject to Terms of Use available at https://npmjs.com/policies/terms
You can configure npm to use any other compatible registry you prefer. You can read more about configuring third-party registries here

FAQ on Branding

Is it "npm" or "NPM" or "Npm"?

npm should never be capitalized unless it is being displayed in a location that is customarily all-capitals (ex. titles on man pages).

Is "npm" an acronym for "Node Package Manager"?

Contrary to popular belief, npm is not in fact an acronym for "Node Package Manager"; It is a recursive bacronymic abbreviation for "npm is not an acronym" (if the project was named "ninaa", then it would be an acronym). The precursor to npm was actually a bash utility named "pm", which was the shortform name of "pkgmakeinst" - a bash function that installed various things on various platforms. If npm were to ever have been considered an acronym, it would be as "node pm" or, potentially "new pm".

Stable Version

The latest stable version of the package.

Stable Version

10.9.1

HIGH

7.8/10

Summary

Incorrect Permission Assignment for Critical Resource in NPM

Affected Versions

< 5.7.1

Patched Versions

5.7.1

HIGH

7.5/10

Summary

Packing does not respect root-level ignore files in workspaces

Affected Versions

>= 7.9.0, < 8.11.0

Patched Versions

8.11.0

HIGH

7.7/10

Summary

Arbitrary File Write in npm

Affected Versions

< 6.13.3

Patched Versions

6.13.3

HIGH

7.7/10

Summary

npm Vulnerable to Global node_modules Binary Overwrite

Affected Versions

< 6.13.4

Patched Versions

6.13.4

HIGH

7.7/10

Summary

npm symlink reference outside of node_modules

Affected Versions

< 6.13.3

Patched Versions

6.13.3

HIGH

0/10

Summary

npm Token Leak in npm

Affected Versions

>= 3.0.0, <= 3.8.2

Patched Versions

3.8.3

HIGH

0/10

Summary

npm Token Leak in npm

Affected Versions

<= 2.15.0

Patched Versions

2.15.1

MODERATE

4.4/10

Summary

npm CLI exposing sensitive information through logs

Affected Versions

< 6.14.6

Patched Versions

6.14.6

LOW

0/10

Summary

Local Privilege Escalation in npm

Affected Versions

< 1.3.3

Patched Versions

1.3.3

10

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10

Security-Policy

Determines if the project has published a security policy.

10

Maintained

Determines if the project is "actively maintained".

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

SAST

Determines if the project uses static code analysis.

9

License

Determines if the project has defined a license.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

Reason

detected GitHub workflow tokens with excessive permissions

Details

Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:23
Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:24
Warn: no topLevel permission defined: .github/workflows/audit.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmaccess.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmdiff.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmexec.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmfund.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmorg.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmpack.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmpublish.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmsearch.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmteam.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-libnpmversion.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-npmcli-arborist.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-npmcli-config.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-npmcli-docs.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-npmcli-mock-globals.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-npmcli-mock-registry.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-npmcli-smoke-tests.yml:1
Warn: no topLevel permission defined: .github/workflows/ci-release.yml:1
Warn: no topLevel permission defined: .github/workflows/ci.yml:1
Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
Warn: no topLevel permission defined: .github/workflows/create-node-pr.yml:1
Warn: no topLevel permission defined: .github/workflows/node-integration.yml:1
Warn: no topLevel permission defined: .github/workflows/pull-request.yml:1
Warn: no topLevel permission defined: .github/workflows/release-integration.yml:1
Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:12
Warn: topLevel 'checks' permission set to 'write': .github/workflows/release.yml:14
Info: no jobLevel write permissions found

0

Fuzzing

Determines if the project uses fuzzing.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/audit.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/audit.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmaccess.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmaccess.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmaccess.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmaccess.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmaccess.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmaccess.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmaccess.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmaccess.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmdiff.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmdiff.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmdiff.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmdiff.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmdiff.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmdiff.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmdiff.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmdiff.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmexec.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmexec.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmexec.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmexec.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmexec.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmexec.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmexec.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmexec.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmfund.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmfund.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmfund.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmfund.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmfund.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmfund.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmfund.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmfund.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmorg.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmorg.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmorg.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmorg.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmorg.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmorg.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmorg.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmorg.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpack.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpack.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpack.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpack.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpack.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpack.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpack.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpack.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpublish.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpublish.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpublish.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpublish.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpublish.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpublish.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmpublish.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmpublish.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmsearch.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmsearch.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmsearch.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmsearch.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmsearch.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmsearch.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmsearch.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmsearch.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmteam.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmteam.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmteam.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmteam.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmteam.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmteam.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmteam.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmteam.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmversion.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmversion.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmversion.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmversion.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmversion.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmversion.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-libnpmversion.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-libnpmversion.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-arborist.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-arborist.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-arborist.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-arborist.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-arborist.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-arborist.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-arborist.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-arborist.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-config.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-config.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-config.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-config.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-config.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-config.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-config.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-config.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:121: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-docs.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-docs.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-globals.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-globals.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-globals.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-globals.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-globals.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-globals.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-globals.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-globals.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-registry.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-registry.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-registry.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-registry.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-registry.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-registry.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-mock-registry.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-mock-registry.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-smoke-tests.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-smoke-tests.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-smoke-tests.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-smoke-tests.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-smoke-tests.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-smoke-tests.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-npmcli-smoke-tests.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-npmcli-smoke-tests.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-release.yml:189: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-release.yml:202: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci-release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:158: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:164: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:187: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:204: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:206: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/ci.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/codeql-analysis.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/codeql-analysis.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/codeql-analysis.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-node-pr.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/create-node-pr.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-node-pr.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/create-node-pr.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-node-pr.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/create-node-pr.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-integration.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:140: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/node-integration.yml:155: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:176: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:251: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:364: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-integration.yml:379: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/node-integration.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/pull-request.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull-request.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/pull-request.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:217: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:235: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:269: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:278: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:298: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:198: update your workflow using https://app.stepsecurity.io/secureworkflow/npm/cli/release.yml/latest?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/node-integration.yml:248
Warn: npmCommand not pinned by hash: .github/workflows/node-integration.yml:410
Info: 0 out of 106 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 16 third-party GitHubAction dependencies pinned
Info: 0 out of 2 npmCommand dependencies pinned

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

98 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
Warn: Project is vulnerable to: GHSA-rf66-hmqf-q3fc
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-hgqx-r2hp-jr38
Warn: Project is vulnerable to: GHSA-v65r-p3vv-jjfv
Warn: Project is vulnerable to: GHSA-v626-r774-j7f8
Warn: Project is vulnerable to: GHSA-438c-3975-5x3f
Warn: Project is vulnerable to: GHSA-9hcv-j9pv-qmph
Warn: Project is vulnerable to: GHSA-w9jx-4g6g-rp7x
Warn: Project is vulnerable to: GHSA-5359-pvf2-pw78
Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
Warn: Project is vulnerable to: GHSA-m95q-7qp3-xv42
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6
Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9
Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f
Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p
Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv
Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8
Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65
Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh
Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
Warn: Project is vulnerable to: GHSA-c429-5p7v-vgjp
Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
Warn: Project is vulnerable to: GHSA-pfq8-rq6v-vf5m
Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
Warn: Project is vulnerable to: GHSA-6c8f-qphg-qjgp
Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m / GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-fhjf-83wg-r2j9
Warn: Project is vulnerable to: GHSA-w7rc-rwvf-8q5r
Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
Warn: Project is vulnerable to: GHSA-86mr-6m89-vgj3
Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9
Warn: Project is vulnerable to: GHSA-f3vw-587g-r29g
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-4g88-fppr-53pp
Warn: Project is vulnerable to: GHSA-4jqc-8m5r-9rpr
Warn: Project is vulnerable to: GHSA-2mvq-xp48-4c77
Warn: Project is vulnerable to: GHSA-5854-jvxx-2cg9
Warn: Project is vulnerable to: GHSA-g64q-3vg8-8f93
Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
Warn: Project is vulnerable to: GHSA-h6ch-v84p-w6p9
Warn: Project is vulnerable to: GHSA-8r6j-v8pm-fqw3
Warn: Project is vulnerable to: MAL-2023-462
Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6
Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Warn: Project is vulnerable to: GHSA-6chw-6frg-f759
Warn: Project is vulnerable to: GHSA-2pr6-76vf-7546
Warn: Project is vulnerable to: GHSA-8j8c-7jfh-h6hx
Warn: Project is vulnerable to: GHSA-cwfw-4gq5-mrqx
Warn: Project is vulnerable to: GHSA-g95f-p29q-9xw4
Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
Warn: Project is vulnerable to: GHSA-6g33-f262-xjp4
Warn: Project is vulnerable to: GHSA-662x-fhqg-9p8v
Warn: Project is vulnerable to: GHSA-394c-5j6w-4xmx
Warn: Project is vulnerable to: GHSA-78cj-fxph-m83p
Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3

Score

6.2

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More