npmpackage.info

Gathering detailed insights and metrics for verdaccio

Other packages similar to verdaccio

@verdaccio/utils

6.0.0-6-next.44

verdaccio utilities

verdaccio-htpasswd

10.5.5

htpasswd auth plugin for Verdaccio

@verdaccio/ui-theme

3.4.1

Verdaccio User Interface

verdaccio-audit

10.2.4

Verdaccio Middleware plugin to bypass npmjs audit

Gathering detailed insights and metrics for verdaccio

verdaccio - 6.1.5 | npmpackage.info

verdaccio

A lightweight Node.js private proxy registry

6.1.5

17,024

MIT

TypeScript

868.44 kB

32,655,615 6

Installations

npm install verdaccio

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS

Min. Node Version

>=18

Node Version

22.16.0

NPM Version

10.9.2 Pull Requests

Open

11

Total

3,555

Closed

605

Merged

2,939

Issues

Open

31

Total

1,193

Closed

1,162

Releases

371

v6.1.5

Updated on Jun 29, 2025

v6.1.4

Updated on Jun 17, 2025

v6.1.3

Updated on Jun 15, 2025

v6.1.2

Updated on Apr 01, 2025

v6.1.1

Updated on Mar 30, 2025

v6.1.0

Updated on Mar 24, 2025

View All 371 releases

Languages

TypeScript

JavaScript

CSS

SCSS

Dockerfile

Shell

HTML

Python

TypeScript (93.49%)

JavaScript (3.58%)

CSS (1.46%)

SCSS (0.78%)

Dockerfile (0.56%)

Shell (0.08%)

HTML (0.05%)

Python (0.01%)

Developer

verdaccio

Download Statistics

Total Downloads

32,655,615

Last Day

50,079

Last Week

322,452

Last Month

1,377,569

Last Year

12,636,176

GitHub Statistics

MIT License

17,024 Stars

6,169 Commits

1,410 Forks

154 Watchers

16 Branches

305 Contributors

Updated on Jul 19, 2025

Sponsor this package

https://opencollective.com/verdaccio

Maintainers

View All 305 Contributors

Package Meta Information

Latest Version

6.1.5

Package Id

verdaccio@6.1.5

Unpacked Size

868.44 kB

Size

263.76 kB

File Count

110

NPM Version

10.9.2

Node Version

22.16.0

Published on

Jun 29, 2025

Total Downloads

Cumulative downloads

Total Downloads

32,655,615

Last Day

35.5%

50,079

Compared to previous day

Last Week

7.5%

322,452

Compared to previous week

Last Month

1.6%

1,377,569

Compared to previous month

Last Year

71.1%

12,636,176

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Dev Dependencies

verdaccio logo

verdaccio gif

Version 6

Verdaccio is a simple, zero-config-required local private npm registry. No need for an entire database just to get started! Verdaccio comes out of the box with its own tiny database, and the ability to proxy other registries (eg. npmjs.org), caching the downloaded modules along the way. For those looking to extend their storage capabilities, Verdaccio supports various community-made plugins to hook into services such as Amazon's s3, Google Cloud Storage or create your own plugin.

Install

Install with npm:

1npm install --location=global verdaccio

Node.js v18 or higher is required for Verdaccio

It's recommended using Node.js 20 (or latest LTS)

or pull Docker official image

1docker pull verdaccio/verdaccio

and run

1docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio

or with helm official chart.

1helm repo add verdaccio https://charts.verdaccio.org
2helm repo update
3helm install verdaccio/verdaccio

Programmatic API

Verdaccio can be used as a module for launch a server programmatically, you can find more info at the website.

 const {runServer} = require('verdaccio');
 const app = await runServer(); // default configuration
 const app = await runServer('./config/config.yaml');
 const app = await runServer({ configuration });
 app.listen(4873, (event) => {
   // do something
 });

Plugins

You can develop your own plugins with the verdaccio generator. Installing Yeoman is required.

npm install --location=global yo
npm install --location=global generator-verdaccio-plugin

Learn more here how to develop plugins. Share your plugins with the community.

Donations

Verdaccio is run by volunteers; nobody is working full-time on it. If you find this project to be useful and would like to support its development and maintenance.

You can donate at Open Collective 💵👍🏻 starting from $1/month or just one single contribution.

What does Verdaccio do for me?

Use private packages

If you want to use all benefits of npm package system in your company without sending all code to the public, and use your private packages just as easy as public ones.

Cache npmjs.org registry

If you have more than one server you want to install packages on, you might want to use this to decrease latency (presumably "slow" npmjs.org will be connected to only once per package/version) and provide limited failover (if npmjs.org is down, we might still find something useful in the cache) or avoid issues like How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript, Many packages suddenly disappeared or Registry returns 404 for a package I have installed before.

Link multiple registries

If you use multiples registries in your organization and need to fetch packages from multiple sources in one single project you might take advance of the uplinks feature with Verdaccio, chaining multiple registries and fetching from one single endpoint.

Override public packages

If you want to use a modified version of some 3rd-party package (for example, you found a bug, but maintainer didn't accept pull request yet), you can publish your version locally under the same name. See in detail here.

E2E Testing

Verdaccio has proved to be a lightweight registry that can be booted in a couple of seconds, fast enough for any CI. Many open source projects use verdaccio for end to end testing, to mention some examples, create-react-app, mozilla neutrino, pnpm, storybook, babel.js, angular-cli or docusaurus. You can read more in here.

Furthermore, here few examples how to start:

Talks

View more in the YouTube channel.

Get Started

Run in your terminal

1verdaccio

You would need set some npm configuration, this is optional.

1$ npm set registry http://localhost:4873/

For one-off commands or to avoid setting the registry globally:

1NPM_CONFIG_REGISTRY=http://localhost:4873 npm i

Now you can navigate to http://localhost:4873/ where your local packages will be listed and can be searched.

Warning: Verdaccio does not currently support PM2's cluster mode, running it with cluster mode may cause unknown behavior.

Publishing

1. create a user and log in

1npm adduser --registry http://localhost:4873

if you use HTTPS, add an appropriate CA information ("null" means get CA list from OS)

1$ npm set ca null

2. publish your package

1npm publish --registry http://localhost:4873

This will prompt you for user credentials which will be saved on the verdaccio server.

Docker

Below are the most commonly needed information, every aspect of Docker and verdaccio is documented separately

docker pull verdaccio/verdaccio

Available as tags.

docker pull verdaccio/verdaccio:6.x-next

Running verdaccio using Docker

To run the docker container:

1docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio

Docker examples are available in this repository.

Compatibility

Verdaccio aims to support all features of a standard npm client that make sense to support in private repository. Unfortunately, it isn't always possible.

Basic features

Installing packages (npm install, npm upgrade, etc.) - supported
Publishing packages (npm publish) - supported

Advanced package control

Unpublishing packages (npm unpublish) - supported
Tagging (npm tag) - supported
Deprecation (npm deprecate) - supported

User management

Registering new users (npm adduser {newuser}) - supported
Change password (npm profile set password) - supported
Transferring ownership (npm owner add {user} {pkg}) - not supported, PR-welcome
Token (npm token) - supported (under flag)

Miscellany

Search (npm search) - supported (cli (/-/all and v1) / browser)
Ping (npm ping) - supported
Starring (npm star, npm unstar, npm stars) - supported

Security

npm/yarn audit - supported

Report a vulnerability

If you want to report a security vulnerability, please follow the steps which we have defined for you in our security policy.

Contributors

Juan Picado	Ayush Sharma	Sergio Hg

@jotadeveloper	@ayusharma_	@sergiohgz
Priscila Oliveria	Daniel Ruf

@priscilawebdev	@DanielRufde

See the full list of contributors is at the website.

Who is using Verdaccio?

create-react-app (+96.2k ⭐️)
Gatsby (+53.5k ⭐️)
Babel.js (+41.3k ⭐️)
Docusaurus (+37k ⭐️)
Vue CLI (+29.4k ⭐️)
Angular CLI (+25.6k ⭐️)
Uppy (+25.8k ⭐️)
pnpm (+19.2k ⭐️)
bit (+15k ⭐️)
NX (+14.1k ⭐️)
Aurelia Framework (+11.6k ⭐️)
ethereum/web3.js (+9.8k ⭐️)
webiny-js (+5.9k ⭐️)
workshopper how to npm (+1k ⭐️)
Amazon SDK v3
Amazon Encryption SDK for Javascript

🤓 Don't be shy, add yourself to this readme.

Open Collective Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

Open Collective Backers

Thank you to all our backers! 🙏 [Become a backer]

Special Thanks

Thanks to the following companies to help us to achieve our goals providing free open source licenses. Every company provides enough resources to move this project forward.

Company	Logo	License
JetBrains		JetBrains provides licenses for products for active maintainers, renewable yearly
Crowdin		Crowdin provides platform for translations
BrowserStack		BrowserStack provides plan to run End to End testing for the UI
Netlify		Netlify provides pro plan for website deployment
Algolia		Algolia provides search services for the website
Docker		Docker offers unlimited pulls and unlimited egress to any and all users

Contributors

This project exists thanks to all the people who contribute. [Contribute].

FAQ / Contact / Troubleshoot

If you have any issue you can try the following options, do no desist to ask or check our issues database, perhaps someone has asked already what you are looking for.

License

Verdaccio is MIT licensed

The Verdaccio documentation and logos (excluding /thanks, e.g., .md, .png, .sketch) files within the /assets folder) is Creative Commons licensed.

Moderate

6.1/10

Summary

Cross-Site Scripting (XSS) in Verdaccio

Affected Versions

< 3.12.0

Patched Versions

3.12.0

10

Security-Policy

Determines if the project has published a security policy.

10

Maintained

Determines if the project is "actively maintained".

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

License

Determines if the project has defined a license.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Packaging

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

9

SAST

Determines if the project uses static code analysis.

5

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

1

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 1

Details

Warn: third-party GitHubAction not pinned by hash: .github/workflows/changesets.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/changesets.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-publish.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/docker-publish.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-publish.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/docker-publish.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-publish.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/docker-publish.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/shared-docker-publish.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/shared-docker-publish.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/shared-docker-publish.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/shared-docker-publish.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/shared-docker-publish.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/shared-docker-publish.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/shared-docker-publish.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/shared-docker-publish.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-publish-package.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/test-publish-package.yml/master?enable=pin
Warn: containerImage not pinned by hash: Dockerfile:1
Warn: containerImage not pinned by hash: Dockerfile:24: pin your Docker image by updating node:24-alpine to node:24-alpine@sha256:22b3c1a1171c798c0429f36272922dbb356bbab8a6d11b3b095a143d3321262a
Warn: containerImage not pinned by hash: docker-examples/v4/amazon-s3-docker-example/localStack-resources/Dockerfile:1: pin your Docker image by updating python:3.7-alpine to python:3.7-alpine@sha256:f3d31c8677d03f0b3c724446077f229a6ce9d3ac430f5c08cd7dff00292048c3
Warn: containerImage not pinned by hash: docker-examples/v4/amazon-s3-docker-example/s3Plugin/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:4 to verdaccio/verdaccio:4@sha256:c059ee7ae4603e8bf2e70c6b4c941c143be66377d706c9bcc79798072691e8b4
Warn: containerImage not pinned by hash: docker-examples/v4/apache-verdaccio/apache_proxy/Dockerfile:1: pin your Docker image by updating eboraas/apache to eboraas/apache@sha256:c7c5d67f9f6590fa07e19cb83cb6c29813a844b859b7302adb7989f447f17928
Warn: containerImage not pinned by hash: docker-examples/v4/ldap-verdaccio/verdaccio-ldap/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:4.2.2 to verdaccio/verdaccio:4.2.2@sha256:63d1bd1efb23f4365ee9b574a9971a4adf1b403b02f3f3efec1ff61d3d884215
Warn: containerImage not pinned by hash: docker-examples/v4/plugins/docker-extend/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio to verdaccio/verdaccio@sha256:280f8815e1b2e70764e300fb0aea0a37e2effa7fee4831c406a3ae14827f5da8
Warn: containerImage not pinned by hash: docker-examples/v4/reverse_proxy/nginx/relative_path/nginx/Dockerfile:1: pin your Docker image by updating nginx:1.21-alpine to nginx:1.21-alpine@sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
Warn: containerImage not pinned by hash: docker-examples/v4/reverse_proxy/nginx/relative_path/nginx_ssl/Dockerfile:1: pin your Docker image by updating nginx:1 to nginx:1@sha256:93230cd54060f497430c7a120e2347894846a81b6a5dd2110f7362c5423b4abc
Warn: containerImage not pinned by hash: docker-examples/v4/reverse_proxy/nginx/root_path/conf/nginx/Dockerfile:1: pin your Docker image by updating tutum/nginx to tutum/nginx@sha256:69a727916ab40de88f66407fb0115e35b759d7c6088852d901208479bec47429
Warn: containerImage not pinned by hash: docker-examples/v5/plugins/docker-build-install-plugin/Dockerfile:2: pin your Docker image by updating verdaccio/verdaccio:5 to verdaccio/verdaccio:5@sha256:9d622d256378c6e7ae09f384774ee2f0f8ac67a66c066db55921a0b7218abc4c
Warn: containerImage not pinned by hash: docker-examples/v5/plugins/docker-local-plugin/Dockerfile:4
Warn: containerImage not pinned by hash: docker-examples/v5/plugins/docker-local-plugin/Dockerfile:15: pin your Docker image by updating verdaccio/verdaccio:5 to verdaccio/verdaccio:5@sha256:9d622d256378c6e7ae09f384774ee2f0f8ac67a66c066db55921a0b7218abc4c
Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx/relative_path/nginx/Dockerfile:1: pin your Docker image by updating nginx:1.21-alpine to nginx:1.21-alpine@sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx/relative_path/nginx_ssl/Dockerfile:1: pin your Docker image by updating nginx:1 to nginx:1@sha256:93230cd54060f497430c7a120e2347894846a81b6a5dd2110f7362c5423b4abc
Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx/root_path/conf/nginx/Dockerfile:1: pin your Docker image by updating tutum/nginx to tutum/nginx@sha256:69a727916ab40de88f66407fb0115e35b759d7c6088852d901208479bec47429
Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx_relative/nginx/Dockerfile:1: pin your Docker image by updating nginx:1.21-alpine to nginx:1.21-alpine@sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx_relative/nginx_ssl/Dockerfile:1: pin your Docker image by updating nginx:1 to nginx:1@sha256:93230cd54060f497430c7a120e2347894846a81b6a5dd2110f7362c5423b4abc
Warn: containerImage not pinned by hash: docker-examples/v6/amazon-s3-docker-example/s3Plugin/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:6.x-next to verdaccio/verdaccio:6.x-next@sha256:2382905434628a4b48aef0dde5c3f33123bfd65cd969cee7ab38d0e6ef96350c
Warn: containerImage not pinned by hash: docker-examples/v6/plugins/docker-build-install-plugin/Dockerfile:5
Warn: containerImage not pinned by hash: docker-examples/v6/plugins/docker-build-install-plugin/Dockerfile:17: pin your Docker image by updating verdaccio/verdaccio:nightly-master to verdaccio/verdaccio:nightly-master@sha256:de3118f2c77124ca7a8c76a9af12036fadd08a440c934bca8a29bb6a90ce21af
Warn: containerImage not pinned by hash: docker-examples/v6/plugins/docker-local-plugin/Dockerfile:4
Warn: containerImage not pinned by hash: docker-examples/v6/plugins/docker-local-plugin/Dockerfile:15: pin your Docker image by updating verdaccio/verdaccio:nightly-master to verdaccio/verdaccio:nightly-master@sha256:de3118f2c77124ca7a8c76a9af12036fadd08a440c934bca8a29bb6a90ce21af
Warn: containerImage not pinned by hash: docker-examples/v6/proxy/apache-verdaccio/apache_proxy/Dockerfile:1: pin your Docker image by updating eboraas/apache to eboraas/apache@sha256:c7c5d67f9f6590fa07e19cb83cb6c29813a844b859b7302adb7989f447f17928
Warn: containerImage not pinned by hash: docker-examples/v6/reverse_proxy/nginx/relative_path/nginx/Dockerfile:1: pin your Docker image by updating nginx:1.21-alpine to nginx:1.21-alpine@sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
Warn: containerImage not pinned by hash: docker-examples/v6/reverse_proxy/nginx/relative_path/nginx_ssl/Dockerfile:1: pin your Docker image by updating nginx:1 to nginx:1@sha256:93230cd54060f497430c7a120e2347894846a81b6a5dd2110f7362c5423b4abc
Warn: containerImage not pinned by hash: docker-examples/v6/reverse_proxy/nginx/root_path/conf/nginx/Dockerfile:1: pin your Docker image by updating tutum/nginx to tutum/nginx@sha256:69a727916ab40de88f66407fb0115e35b759d7c6088852d901208479bec47429
Warn: containerImage not pinned by hash: docker-examples/v6/verdaccio-github-oauth-ui/plugin/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:6.x-next to verdaccio/verdaccio:6.x-next@sha256:2382905434628a4b48aef0dde5c3f33123bfd65cd969cee7ab38d0e6ef96350c
Warn: containerImage not pinned by hash: e2e/docker/apache-verdaccio/apache_proxy/Dockerfile:1: pin your Docker image by updating eboraas/apache to eboraas/apache@sha256:c7c5d67f9f6590fa07e19cb83cb6c29813a844b859b7302adb7989f447f17928
Warn: containerImage not pinned by hash: e2e/docker/docker-build-install-plugin/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:nightly-master to verdaccio/verdaccio:nightly-master@sha256:de3118f2c77124ca7a8c76a9af12036fadd08a440c934bca8a29bb6a90ce21af
Warn: containerImage not pinned by hash: e2e/docker/docker-e2e-ui/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:nightly-master to verdaccio/verdaccio:nightly-master@sha256:de3118f2c77124ca7a8c76a9af12036fadd08a440c934bca8a29bb6a90ce21af
Warn: containerImage not pinned by hash: e2e/docker/proxy-nginx/nginx/Dockerfile:2: pin your Docker image by updating nginx:alpine to nginx:alpine@sha256:b2e814d28359e77bd0aa5fed1939620075e4ffa0eb20423cc557b375bd5c14ad
Warn: npmCommand not pinned by hash: Dockerfile:14-19
Warn: pipCommand not pinned by hash: docker-examples/v4/amazon-s3-docker-example/localStack-resources/Dockerfile:7
Warn: npmCommand not pinned by hash: docker-examples/v4/amazon-s3-docker-example/s3Plugin/Dockerfile:14
Warn: npmCommand not pinned by hash: docker-examples/v4/amazon-s3-docker-example/s3Plugin/Dockerfile:14
Warn: npmCommand not pinned by hash: docker-examples/v4/ldap-verdaccio/verdaccio-ldap/Dockerfile:3
Warn: npmCommand not pinned by hash: docker-examples/v4/ldap-verdaccio/verdaccio-ldap/Dockerfile:3
Warn: npmCommand not pinned by hash: docker-examples/v4/plugins/docker-extend/Dockerfile:7
Warn: npmCommand not pinned by hash: docker-examples/v4/plugins/docker-extend/Dockerfile:7
Warn: npmCommand not pinned by hash: docker-examples/v5/plugins/docker-build-install-plugin/Dockerfile:5-6
Warn: npmCommand not pinned by hash: docker-examples/v5/plugins/docker-build-install-plugin/Dockerfile:5-6
Warn: npmCommand not pinned by hash: docker-examples/v5/plugins/docker-local-plugin/Dockerfile:11-12
Warn: npmCommand not pinned by hash: docker-examples/v6/amazon-s3-docker-example/s3Plugin/Dockerfile:7
Warn: npmCommand not pinned by hash: docker-examples/v6/plugins/docker-build-install-plugin/Dockerfile:12-14
Warn: npmCommand not pinned by hash: docker-examples/v6/plugins/docker-local-plugin/Dockerfile:11-12
Warn: npmCommand not pinned by hash: docker-examples/v6/verdaccio-github-oauth-ui/plugin/Dockerfile:7
Warn: npmCommand not pinned by hash: e2e/docker/docker-build-install-plugin/Dockerfile:5-7
Warn: npmCommand not pinned by hash: e2e/docker/docker-build-install-plugin/Dockerfile:5-7
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:94
Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-apache-e2e.yml:40
Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-apache-e2e.yml:42
Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-apache-e2e.yml:46
Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-nginx-e2e.yml:38
Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-nginx-e2e.yml:40
Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-nginx-e2e.yml:44
Warn: npmCommand not pinned by hash: .github/workflows/plugin-generator-e2e.yaml:28
Warn: npmCommand not pinned by hash: .github/workflows/plugin-generator-e2e.yaml:38
Warn: npmCommand not pinned by hash: .github/workflows/plugin-generator-e2e.yaml:40
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:18
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:35
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:39
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:55
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:72
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:76
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:91
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:108
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:112
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-audit-workflow.yml:18
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-audit-workflow.yml:30
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:18
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:36
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:53
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:71
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:83
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:95
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:116
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:128
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:149
Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:161
Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-docker.yml:28
Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-docker.yml:30
Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-docker.yml:32
Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-docker.yml:34
Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-module.yml:35
Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-module.yml:41
Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-module.yml:42
Info: 67 out of 67 GitHub-owned GitHubAction dependencies pinned
Info: 4 out of 13 third-party GitHubAction dependencies pinned
Info: 0 out of 32 containerImage dependencies pinned
Info: 0 out of 54 npmCommand dependencies pinned
Info: 0 out of 1 pipCommand dependencies pinned

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

Reason

detected GitHub workflow tokens with excessive permissions

Details

Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:25
Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:26
Info: jobLevel 'contents' permission set to 'read': .github/workflows/website.yml:17
Warn: jobLevel 'deployments' permission set to 'write': .github/workflows/website.yml:18
Warn: no topLevel permission defined: .github/workflows/changesets-pr.yml:1
Warn: no topLevel permission defined: .github/workflows/changesets.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:16
Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:16
Warn: no topLevel permission defined: .github/workflows/docker-proxy-apache-e2e.yml:1
Warn: no topLevel permission defined: .github/workflows/docker-proxy-nginx-e2e.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/docker-publish.yml:11
Info: topLevel 'contents' permission set to 'read': .github/workflows/e2e-ci.yml:5
Info: topLevel 'contents' permission set to 'read': .github/workflows/e2e-ui.yml:6
Warn: no topLevel permission defined: .github/workflows/plugin-generator-e2e.yaml:1
Warn: no topLevel permission defined: .github/workflows/shared-docker-publish.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/static-data.yml:16
Warn: no topLevel permission defined: .github/workflows/test-docker-build.yml:1
Warn: no topLevel permission defined: .github/workflows/test-publish-package.yml:1
Info: topLevel 'contents' permission set to 'read': .github/workflows/ui-components.yml:15
Info: topLevel 'contents' permission set to 'read': .github/workflows/website.yml:8
Warn: no topLevel permission defined: .github/workflows/x-e2e-angular-cli-workflow.yml:1
Warn: no topLevel permission defined: .github/workflows/x-e2e-audit-workflow.yml:1
Warn: no topLevel permission defined: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:1
Warn: no topLevel permission defined: .github/workflows/x-e2e-jest-workflow.yml:1
Warn: no topLevel permission defined: .github/workflows/x-release-snapshot.yml:1
Warn: no topLevel permission defined: .github/workflows/x-release.yml:1
Warn: no topLevel permission defined: .github/workflows/x-smok-test-docker.yml:1
Warn: no topLevel permission defined: .github/workflows/x-smok-test-module.yml:1
Warn: no topLevel permission defined: .github/workflows/yarn-ci-lint.yml:1
Warn: no topLevel permission defined: .github/workflows/yarn-ci.yml:1

0

Fuzzing

Determines if the project uses fuzzing.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

40 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
Warn: Project is vulnerable to: GHSA-f7f6-9jq7-3rqj
Warn: Project is vulnerable to: GHSA-rrr8-f88r-h8q6
Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
Warn: Project is vulnerable to: GHSA-75v8-2h7p-7m2m
Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
Warn: Project is vulnerable to: GHSA-cg87-wmx4-v546
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
Warn: Project is vulnerable to: GHSA-hj9c-8jmm-8c52
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-vm32-9rqf-rh3r
Warn: Project is vulnerable to: GHSA-8cc4-rfj6-fhg4
Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
Warn: Project is vulnerable to: GHSA-64vr-g452-qvp3
Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx
Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6
Warn: Project is vulnerable to: GHSA-x574-m823-4x7w
Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8
Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x
Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
Warn: Project is vulnerable to: GHSA-9crc-q9x8-hgqq
Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h

Score

6

/10

Last Scanned on 2025-07-07

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More