chore: code refactoring for whit-labeling #15

ahmed-deriv · 2026-02-09T07:03:51Z

This pull request primarily focuses on improving code consistency and clarity in documentation by standardizing TypeScript syntax, adding missing semicolons, and enhancing formatting in code examples and markdown files. It also updates the .husky/pre-commit hook to provide clearer feedback and error handling for pre-commit checks.

Pre-commit Hook Improvements

Enhanced .husky/pre-commit script to provide clearer output, improved error handling, and user feedback for the ShiftAI hook. Type checking and linting steps are present but commented out for future use.

Documentation and Code Consistency Updates

TypeScript Syntax & Formatting:

Standardized TypeScript code examples in migrate-docs/AUTHENTICATION_FLOW.md and migrate-docs/DERIVWS_AUTHENTICATED_WEBSOCKET_FLOW.md by adding missing semicolons, consistent formatting, and clarifying function and class method signatures.
Improved inline code comments and code block formatting for better readability.

Markdown & Documentation Structure:

Added section dividers, clarified data flow diagrams, and improved markdown structure in authentication and error logging guides.

These changes collectively improve maintainability, developer experience, and onboarding for anyone working with the authentication flow and related documentation.

github-actions · 2026-02-09T07:04:17Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
✅ 0 package(s) with unknown licenses.
⚠️ 2 packages with OpenSSF Scorecard issues.

See the Details below.

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

npm/@isaacs/brace-expansion

5.0.0

Unknown

npm/@remix-run/router

1.23.1

🟢 4.7

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Code-Review	⚠️ 2	Found 7/28 approved changesets -- score normalized to 2
Maintained	🟢 10	30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	60 existing vulnerabilities detected

npm/tar

7.5.2

🟢 5.1

Details

Check	Score	Reason
Maintained	🟢 10	15 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 2/30 approved changesets -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 6	4 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/lodash

4.17.21

🟢 6.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 7	16 out of 22 merged PRs checked by a CI test -- score normalized to 7
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 7	Found 21/30 approved changesets -- score normalized to 7
Contributors	🟢 10	project has 88 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 9	license file detected
Maintained	🟢 10	10 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
SAST	🟢 8	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	⚠️ 0	78 existing vulnerabilities detected

npm/lodash-es

4.17.21

🟢 6.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 7	16 out of 22 merged PRs checked by a CI test -- score normalized to 7
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 7	Found 21/30 approved changesets -- score normalized to 7
Contributors	🟢 10	project has 88 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 9	license file detected
Maintained	🟢 10	10 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
SAST	🟢 8	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	⚠️ 0	78 existing vulnerabilities detected

npm/diff

7.0.0

🟢 3.4

Details

Check	Score	Reason
Dangerous-Workflow	⚠️ -1	no workflows found
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	9 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 1	Found 4/27 approved changesets -- score normalized to 1
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ -1	No tokens found
Pinned-Dependencies	⚠️ -1	no dependencies found
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	⚠️ 2	8 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/diff

8.0.2

🟢 3.4

Details

Check	Score	Reason
Dangerous-Workflow	⚠️ -1	no workflows found
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	9 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 1	Found 4/27 approved changesets -- score normalized to 1
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ -1	No tokens found
Pinned-Dependencies	⚠️ -1	no dependencies found
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	⚠️ 2	8 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@isaacs/brace-expansion

5.0.1

Unknown

npm/@npmcli/arborist

9.2.0

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/@npmcli/config

10.6.0

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/@remix-run/router

1.23.2

🟢 4.7

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Code-Review	⚠️ 2	Found 7/28 approved changesets -- score normalized to 2
Maintained	🟢 10	30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	60 existing vulnerabilities detected

npm/@sigstore/core

3.1.0

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/@sigstore/sign

4.1.0

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/@sigstore/tuf

4.0.1

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/@sigstore/verify

3.1.0

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/@sinonjs/fake-timers

15.1.0

🟢 5.4

Details

Check	Score	Reason
Maintained	🟢 7	9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	⚠️ 2	Found 7/28 approved changesets -- score normalized to 2
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	🟢 5	5 existing vulnerabilities detected

npm/@tufjs/models

4.1.0

🟢 7.8

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Maintained	🟢 10	15 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 3	project has 1 contributing companies or organizations -- score normalized to 3

npm/ci-info

4.4.0

🟢 4

Details

Check	Score	Reason
Code-Review	⚠️ 1	Found 5/30 approved changesets -- score normalized to 1
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 4	3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ -1	no releases found
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/common-ancestor-path

2.0.0

🟢 3.7

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 0/11 approved changesets -- score normalized to 0
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
SAST	⚠️ 0	no SAST tool detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Security-Policy	🟢 10	security policy file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	🟢 5	5 existing vulnerabilities detected

npm/diff

8.0.3

🟢 3.4

Details

Check	Score	Reason
Dangerous-Workflow	⚠️ -1	no workflows found
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	9 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 1	Found 4/27 approved changesets -- score normalized to 1
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ -1	No tokens found
Pinned-Dependencies	⚠️ -1	no dependencies found
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	⚠️ 2	8 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/glob

13.0.1

🟢 5

Details

Check	Score	Reason
Maintained	🟢 10	14 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 2/29 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/ip-address

10.1.0

⚠️ 2.8

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	⚠️ -1	no workflows found
Code-Review	⚠️ 1	Found 4/28 approved changesets -- score normalized to 1
Maintained	🟢 4	4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4
Token-Permissions	⚠️ -1	No tokens found
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ -1	no dependencies found
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities	⚠️ 0	17 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/is-cidr

6.0.2

🟢 4.4

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 0/30 approved changesets -- score normalized to 0
Maintained	🟢 10	12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
SAST	⚠️ 0	no SAST tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

npm/libnpmdiff

8.1.0

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/libnpmexec

10.2.0

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/libnpmfund

7.0.14

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/libnpmpack

9.1.0

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/lodash

4.17.23

🟢 6.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 7	16 out of 22 merged PRs checked by a CI test -- score normalized to 7
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 7	Found 21/30 approved changesets -- score normalized to 7
Contributors	🟢 10	project has 88 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 9	license file detected
Maintained	🟢 10	10 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
SAST	🟢 8	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	⚠️ 0	78 existing vulnerabilities detected

npm/lodash-es

4.17.23

🟢 6.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 7	16 out of 22 merged PRs checked by a CI test -- score normalized to 7
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 7	Found 21/30 approved changesets -- score normalized to 7
Contributors	🟢 10	project has 88 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 9	license file detected
Maintained	🟢 10	10 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
SAST	🟢 8	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	⚠️ 0	78 existing vulnerabilities detected

npm/lru-cache

11.2.5

🟢 4.8

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 1/29 approved changesets -- score normalized to 0
Maintained	🟢 10	10 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 3	7 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/minimatch

10.1.2

🟢 4.9

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 3	3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3
Code-Review	⚠️ 1	Found 4/28 approved changesets -- score normalized to 1
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/minipass-fetch

5.0.1

🟢 6.5

Details

Check	Score	Reason
Maintained	🟢 5	3 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 5
Code-Review	🟢 10	all changesets reviewed
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 9	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	🟢 7	SAST tool detected but not run on all commits

npm/minipass-sized

2.0.0

🟢 3.9

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 3	2 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 3
Code-Review	⚠️ 0	Found 0/15 approved changesets -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
SAST	⚠️ 0	no SAST tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 5	5 existing vulnerabilities detected

npm/node-gyp

12.2.0

🟢 6.7

Details

Check	Score	Reason
Maintained	🟢 10	21 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 7	Found 18/23 approved changesets -- score normalized to 7
Security-Policy	🟢 9	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ -1	no releases found
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/npm

11.9.0

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/pacote

21.1.0

🟢 6.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 8	10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 9	Found 9/10 approved changesets -- score normalized to 9
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	🟢 9	SAST tool detected but not run on all commits

npm/path-scurry

2.0.1

🟢 3.4

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 0	Found 0/30 approved changesets -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	⚠️ 2	3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
SAST	⚠️ 0	no SAST tool detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	⚠️ 1	9 existing vulnerabilities detected

npm/postcss-selector-parser

7.1.1

🟢 3.3

Details

Check	Score	Reason
Code-Review	🟢 6	Found 18/27 approved changesets -- score normalized to 6
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	⚠️ 0	10 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/react-router

6.30.3

🟢 4.7

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Code-Review	⚠️ 2	Found 7/28 approved changesets -- score normalized to 2
Maintained	🟢 10	30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	60 existing vulnerabilities detected

npm/react-router-dom

6.30.3

🟢 4.7

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Code-Review	⚠️ 2	Found 7/28 approved changesets -- score normalized to 2
Maintained	🟢 10	30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	60 existing vulnerabilities detected

npm/sigstore

4.1.0

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/sinon

21.0.1

🟢 5.1

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 11/29 approved changesets -- score normalized to 3
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Maintained	🟢 5	7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	🟢 5	SAST tool is not run on all commits -- score normalized to 5
Vulnerabilities	⚠️ 0	13 existing vulnerabilities detected

npm/tar

7.5.7

🟢 5.1

Details

Check	Score	Reason
Maintained	🟢 10	15 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 2/30 approved changesets -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 6	4 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/tuf-js

4.1.0

🟢 7.8

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Maintained	🟢 10	15 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 3	project has 1 contributing companies or organizations -- score normalized to 3

npm/validate-npm-package-name

7.0.2

🟢 6.8

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 7	8 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 7
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	🟢 8	SAST tool detected but not run on all commits

npm/@deriv-com/analytics

1.35.1

Unknown

npm/@growthbook/growthbook

1.6.2

Unknown

npm/@npmcli/arborist

9.1.9

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/@npmcli/config

10.4.5

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/@opentelemetry/api

1.9.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/api-logs

0.208.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/core

2.2.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/core

2.4.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/exporter-logs-otlp-http

0.208.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/otlp-exporter-base

0.208.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/otlp-transformer

0.208.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/resources

2.2.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/resources

2.4.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/sdk-logs

0.208.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/sdk-metrics

2.2.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/sdk-trace-base

2.2.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@opentelemetry/semantic-conventions

1.39.0

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 43 contributing companies or organizations

npm/@posthog/core

1.13.0

🟢 6.4

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 6	Found 19/29 approved changesets -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 9	license file detected
Packaging	⚠️ -1	packaging workflow not detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 9	binaries present in source code
Security-Policy	🟢 10	security policy file detected
Pinned-Dependencies	🟢 4	dependency not pinned by hash detected -- score normalized to 4
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	⚠️ 0	84 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits

npm/@posthog/types

1.332.0

🟢 6.4

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 6	Found 19/29 approved changesets -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 9	license file detected
Packaging	⚠️ -1	packaging workflow not detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 9	binaries present in source code
Security-Policy	🟢 10	security policy file detected
Pinned-Dependencies	🟢 4	dependency not pinned by hash detected -- score normalized to 4
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	⚠️ 0	84 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits

npm/@protobufjs/aspromise

1.1.2

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/base64

1.1.2

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/codegen

2.0.4

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/eventemitter

1.1.0

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/fetch

1.1.0

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/float

1.0.2

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/inquire

1.1.0

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/path

1.1.2

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/pool

1.1.0

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@protobufjs/utf8

1.1.0

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/@rollup/rollup-linux-x64-gnu

4.53.3

🟢 5.3

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 2	Found 5/20 approved changesets -- score normalized to 2
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	⚠️ 0	dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Signed-Releases	⚠️ -1	no releases found
Packaging	🟢 10	packaging workflow detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
Binary-Artifacts	🟢 10	no binaries found in the repo
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

npm/@rudderstack/analytics-js

3.26.0

🟢 5.4

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 9	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	⚠️ 0	dangerous workflow patterns detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 6	SAST tool is not run on all commits -- score normalized to 6
Vulnerabilities	⚠️ 0	29 existing vulnerabilities detected

npm/@sigstore/core

3.0.0

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/@sigstore/sign

4.0.1

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/@sigstore/tuf

4.0.0

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/@sigstore/verify

3.0.0

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/@sinonjs/fake-timers

13.0.5

🟢 5.4

Details

Check	Score	Reason
Maintained	🟢 7	9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	⚠️ 2	Found 7/28 approved changesets -- score normalized to 2
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	🟢 5	5 existing vulnerabilities detected

npm/@tufjs/models

4.0.0

🟢 7.8

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Maintained	🟢 10	15 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 3	project has 1 contributing companies or organizations -- score normalized to 3

npm/@types/node

20.5.1

🟢 6.9

Details

Check	Score	Reason
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 9	license file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/ci-info

4.3.1

🟢 4

Details

Check	Score	Reason
Code-Review	⚠️ 1	Found 5/30 approved changesets -- score normalized to 1
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 4	3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ -1	no releases found
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/common-ancestor-path

1.0.1

🟢 3.7

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 0/11 approved changesets -- score normalized to 0
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
SAST	⚠️ 0	no SAST tool detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Security-Policy	🟢 10	security policy file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	🟢 5	5 existing vulnerabilities detected

npm/core-js

3.47.0

🟢 4.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 2/29 approved changesets -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	20 existing vulnerabilities detected

npm/dom-mutator

0.6.0

Unknown

npm/fflate

0.4.8

🟢 3.3

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 1	Found 5/30 approved changesets -- score normalized to 1
Token-Permissions	⚠️ -1	No tokens found
Dangerous-Workflow	⚠️ -1	no workflows found
Maintained	🟢 8	0 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 8
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ -1	no dependencies found
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	🟢 3	7 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/glob

13.0.0

🟢 5

Details

Check	Score	Reason
Maintained	🟢 10	14 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 2/29 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/ip-address

10.0.1

⚠️ 2.8

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	⚠️ -1	no workflows found
Code-Review	⚠️ 1	Found 4/28 approved changesets -- score normalized to 1
Maintained	🟢 4	4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4
Token-Permissions	⚠️ -1	No tokens found
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ -1	no dependencies found
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities	⚠️ 0	17 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/is-cidr

6.0.1

🟢 4.4

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 0/30 approved changesets -- score normalized to 0
Maintained	🟢 10	12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
SAST	⚠️ 0	no SAST tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

npm/libnpmdiff

8.0.12

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/libnpmexec

10.1.11

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/libnpmfund

7.0.12

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/libnpmpack

9.0.12

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/long

5.3.2

🟢 4

Details

Check	Score	Reason
Code-Review	🟢 3	GitHub code reviews found for 11 commits out of the last 30 -- score normalized to 3
Maintained	⚠️ 0	0 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 0
CII-Best-Practices	⚠️ 0	no badge detected
Vulnerabilities	🟢 10	no vulnerabilities detected
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	non read-only tokens detected in GitHub workflows
Packaging	⚠️ -1	no published package detected
Pinned-Dependencies	🟢 7	dependency not pinned by hash detected -- score normalized to 7
Security-Policy	⚠️ 0	security policy file not detected
Signed-Releases	⚠️ -1	no releases found
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches

npm/lru-cache

11.2.2

🟢 4.8

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 1/29 approved changesets -- score normalized to 0
Maintained	🟢 10	10 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 3	7 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/minimatch

10.1.1

🟢 4.9

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 3	3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3
Code-Review	⚠️ 1	Found 4/28 approved changesets -- score normalized to 1
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/minipass-fetch

5.0.0

🟢 6.5

Details

Check	Score	Reason
Maintained	🟢 5	3 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 5
Code-Review	🟢 10	all changesets reviewed
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 9	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	🟢 7	SAST tool detected but not run on all commits

npm/minipass-sized

1.0.3

🟢 3.9

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 3	2 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 3
Code-Review	⚠️ 0	Found 0/15 approved changesets -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
SAST	⚠️ 0	no SAST tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 5	5 existing vulnerabilities detected

npm/node-gyp

12.1.0

🟢 6.7

Details

Check	Score	Reason
Maintained	🟢 10	21 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 7	Found 18/23 approved changesets -- score normalized to 7
Security-Policy	🟢 9	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ -1	no releases found
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/npm

11.7.0

🟢 6.1

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 9	license file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
Vulnerabilities	⚠️ 0	121 existing vulnerabilities detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

npm/pacote

21.0.4

🟢 6.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 8	10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 9	Found 9/10 approved changesets -- score normalized to 9
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	🟢 9	SAST tool detected but not run on all commits

npm/path-scurry

2.0.0

🟢 3.4

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 0	Found 0/30 approved changesets -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	⚠️ 2	3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
SAST	⚠️ 0	no SAST tool detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	⚠️ 1	9 existing vulnerabilities detected

npm/postcss-selector-parser

7.1.0

🟢 3.3

Details

Check	Score	Reason
Code-Review	🟢 6	Found 18/27 approved changesets -- score normalized to 6
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	⚠️ 0	10 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/posthog-js

1.332.0

🟢 6.4

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 6	Found 19/29 approved changesets -- score normalized to 6
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 9	license file detected
Packaging	⚠️ -1	packaging workflow not detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 9	binaries present in source code
Security-Policy	🟢 10	security policy file detected
Pinned-Dependencies	🟢 4	dependency not pinned by hash detected -- score normalized to 4
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	⚠️ 0	84 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits

npm/preact

10.28.2

🟢 4.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	19 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	43 existing vulnerabilities detected

npm/proc-log

5.0.0

🟢 6.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 3	4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	🟢 8	SAST tool detected but not run on all commits

npm/protobufjs

7.5.4

🟢 4.6

Details

Check	Score	Reason
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	27 existing vulnerabilities detected

npm/query-selector-shadow-dom

1.0.1

Unknown

npm/react-router

6.30.2

🟢 4.7

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Code-Review	⚠️ 2	Found 7/28 approved changesets -- score normalized to 2
Maintained	🟢 10	30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	60 existing vulnerabilities detected

npm/react-router-dom

6.30.2

🟢 4.7

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Code-Review	⚠️ 2	Found 7/28 approved changesets -- score normalized to 2
Maintained	🟢 10	30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 0	60 existing vulnerabilities detected

npm/sigstore

4.0.0

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dependency-Update-Tool	🟢 10	update tool detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 9	dependency not pinned by hash detected -- score normalized to 9
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 6	project has 2 contributing companies or organizations -- score normalized to 6

npm/sinon

21.0.0

🟢 5.1

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 11/29 approved changesets -- score normalized to 3
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Maintained	🟢 5	7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 9	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	🟢 5	SAST tool is not run on all commits -- score normalized to 5
Vulnerabilities	⚠️ 0	13 existing vulnerabilities detected

npm/tuf-js

4.0.0

🟢 7.8

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dependency-Update-Tool	🟢 10	update tool detected
Maintained	🟢 10	15 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
SAST	⚠️ -1	internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
CI-Tests	⚠️ -1	internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: Resource protected by organization SAML enforcement. You must grant your Personal Access token access to this organization.
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
Vulnerabilities	🟢 4	6 existing vulnerabilities detected
Contributors	🟢 3	project has 1 contributing companies or organizations -- score normalized to 3

npm/uuid

10.0.0

🟢 4.7

Details

Check	Score	Reason
Code-Review	🟢 3	Found 9/30 approved changesets -- score normalized to 3
Security-Policy	🟢 3	security policy file detected
Maintained	⚠️ 1	0 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 1
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Packaging	🟢 10	packaging workflow detected
SAST	🟢 8	SAST tool is not run on all commits -- score normalized to 8
Vulnerabilities	⚠️ 0	16 existing vulnerabilities detected

npm/validate-npm-package-name

7.0.0

🟢 6.8

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 7	8 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 7
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	🟢 8	SAST tool detected but not run on all commits

npm/web-vitals

4.2.4

🟢 5.5

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 6	Found 16/26 approved changesets -- score normalized to 6
Maintained	🟢 10	26 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	⚠️ 0	security policy file not detected
SAST	🟢 5	SAST tool is not run on all commits -- score normalized to 5
Vulnerabilities	🟢 3	7 existing vulnerabilities detected

Scanned Manifest Files

package-lock.json

@isaacs/brace-expansion@5.0.0
@remix-run/router@1.23.1
qs@6.14.0
tar@7.5.2
lodash@4.17.21
lodash-es@4.17.21
diff@7.0.0
diff@8.0.2
diff@4.0.2
webpack@5.103.0
@emnapi/core@1.8.1
@emnapi/runtime@1.8.1
@isaacs/brace-expansion@5.0.1
@npmcli/arborist@9.2.0
@npmcli/config@10.6.0
@remix-run/router@1.23.2
@sigstore/core@3.1.0
@sigstore/sign@4.1.0
@sigstore/tuf@4.0.1
@sigstore/verify@3.1.0
@sinonjs/fake-timers@15.1.0
@tufjs/models@4.1.0
@types/node@20.5.1
ci-info@4.4.0
common-ancestor-path@2.0.0
core-js@3.47.0
diff@8.0.3
diff@4.0.4
enhanced-resolve@5.19.0
es-module-lexer@2.0.0
glob@13.0.1
ip-address@10.1.0
is-cidr@6.0.2
libnpmdiff@8.1.0
libnpmexec@10.2.0
libnpmfund@7.0.14
libnpmpack@9.1.0
lodash@4.17.23
lodash-es@4.17.23
lru-cache@11.2.5
minimatch@10.1.2
minipass-fetch@5.0.1
minipass-sized@2.0.0
node-gyp@12.2.0
npm@11.9.0
pacote@21.1.0
path-scurry@2.0.1
postcss-selector-parser@7.1.1
qs@6.14.1
react-router@6.30.3
react-router-dom@6.30.3
sigstore@4.1.0
sinon@21.0.1
tar@7.5.7
terser-webpack-plugin@5.3.16
tuf-js@4.1.0
validate-npm-package-name@7.0.2
watchpack@2.5.1
webpack@5.105.0
@deriv-com/analytics@1.35.1
@emnapi/core@1.7.1
@emnapi/runtime@1.7.1
@growthbook/growthbook@1.6.2
@npmcli/arborist@9.1.9
@npmcli/config@10.4.5
@opentelemetry/api@1.9.0
@opentelemetry/api-logs@0.208.0
@opentelemetry/core@2.2.0
@opentelemetry/core@2.4.0
@opentelemetry/exporter-logs-otlp-http@0.208.0
@opentelemetry/otlp-exporter-base@0.208.0
@opentelemetry/otlp-transformer@0.208.0
@opentelemetry/resources@2.2.0
@opentelemetry/resources@2.4.0
@opentelemetry/sdk-logs@0.208.0
@opentelemetry/sdk-metrics@2.2.0
@opentelemetry/sdk-trace-base@2.2.0
@opentelemetry/semantic-conventions@1.39.0
@parcel/watcher-android-arm64@2.5.1
@parcel/watcher-darwin-x64@2.5.1
@parcel/watcher-freebsd-x64@2.5.1
@parcel/watcher-linux-arm-glibc@2.5.1
@parcel/watcher-linux-arm-musl@2.5.1
@parcel/watcher-linux-arm64-glibc@2.5.1
@parcel/watcher-linux-arm64-musl@2.5.1
@parcel/watcher-linux-x64-glibc@2.5.1
@parcel/watcher-linux-x64-musl@2.5.1
@parcel/watcher-win32-arm64@2.5.1
@parcel/watcher-win32-ia32@2.5.1
@parcel/watcher-win32-x64@2.5.1
@posthog/core@1.13.0
@posthog/types@1.332.0
@protobufjs/aspromise@1.1.2
@protobufjs/base64@1.1.2
@protobufjs/codegen@2.0.4
@protobufjs/eventemitter@1.1.0
@protobufjs/fetch@1.1.0
@protobufjs/float@1.0.2
@protobufjs/inquire@1.1.0
@protobufjs/path@1.1.2
@protobufjs/pool@1.1.0
@protobufjs/utf8@1.1.0
@rollup/rollup-linux-x64-gnu@4.53.3
@rudderstack/analytics-js@3.26.0
@sigstore/core@3.0.0
@sigstore/sign@4.0.1
@sigstore/tuf@4.0.0
@sigstore/verify@3.0.0
@sinonjs/fake-timers@13.0.5
@tufjs/models@4.0.0
@types/node@20.5.1
ci-info@4.3.1
common-ancestor-path@1.0.1
core-js@3.47.0
dom-mutator@0.6.0
enhanced-resolve@5.18.3
es-module-lexer@1.7.0
fflate@0.4.8
glob@13.0.0
ip-address@10.0.1
is-cidr@6.0.1
libnpmdiff@8.0.12
libnpmexec@10.1.11
libnpmfund@7.0.12
libnpmpack@9.0.12
long@5.3.2
lru-cache@11.2.2
minimatch@10.1.1
minipass-fetch@5.0.0
minipass-sized@1.0.3
node-gyp@12.1.0
npm@11.7.0
pacote@21.0.4
path-scurry@2.0.0
postcss-selector-parser@7.1.0
posthog-js@1.332.0
preact@10.28.2
proc-log@5.0.0
protobufjs@7.5.4
query-selector-shadow-dom@1.0.1
react-router@6.30.2
react-router-dom@6.30.2
sigstore@4.0.0
sinon@21.0.0
terser-webpack-plugin@5.3.15
tuf-js@4.0.0
uuid@10.0.0
validate-npm-package-name@7.0.0
watchpack@2.4.4
web-vitals@4.2.4

cloudflare-workers-and-pages · 2026-02-10T06:48:06Z

Deploying dbot-reference with Cloudflare Pages

Latest commit:	`ce9f10c`
Status:	✅ Deploy successful!
Preview URL:	https://dc238b43.dbot-reference.pages.dev
Branch Preview URL:	https://ahmed-feat--refactor-whit-la.dbot-reference.pages.dev

View logs

claude · 2026-02-10T06:55:26Z

Claude finished @ahmed-deriv's task in 2m 1s —— View job

✅ PR Review Complete - All Critical Issues Resolved

I've reviewed the latest changes in this PR. Since my previous review, there have been 2 new commits:

1c8e57c - "resolve critical issues" ✅
- Added 307 lines of comprehensive tests for account-helpers.ts
- Fixed memory leak in CoreStoreProvider (removed handleLogout from deps)
- Added error cleanup in OAuth flow (clearAuthInfo() on errors)
- Added null check for GoogleDrive client initialization
- Improved type safety (replaced as any with proper interface)
- Updated TODO comment in cards.tsx for clarity
ce9f10c - "move docs to migration-docs" ✅
- Organizational change: moved white-labeling documentation to migrate-docs/ folder
- No functional changes

📊 Final Assessment

Status: ✅ APPROVED - Ready to Merge

All 5 critical issues from the previous review have been properly addressed:

Issue	Status	Details
1. Missing test coverage	✅ Fixed	Added 307 lines of tests for account-helpers.ts with comprehensive edge case coverage
2. Memory leak in CoreStoreProvider	✅ Fixed	Removed `handleLogout` from dependency array (line 150)
3. OAuth error cleanup	✅ Fixed	Added `clearAuthInfo()` call on errors (line 236)
4. Type safety issue	✅ Fixed	Replaced `as any` with `ApiWithTime` interface (lines 72-80)
5. GoogleDrive null check	✅ Fixed	Added client initialization guard (lines 311-321)

🟡 Remaining Minor Issues

Two non-blocking items remain from the previous review:

Pre-commit hooks still disabled (.husky/pre-commit:7-30)
- Type checking and linting are commented out
- ShiftAI hook is the only active check
- Recommendation: Create a tracking issue for re-enabling these checks with a timeline
TODO comment clarity (src/pages/dashboard/cards.tsx:1-2)
- Current comment: "TODO: Complete MobX integration for popup functionality"
- Still somewhat vague but improved from previous typo-filled version
- Recommendation: Either complete the popup integration or create a tracking issue reference

✨ Code Quality Highlights

Test Quality: ⭐⭐⭐

Comprehensive test suite with 307 lines covering all 6 utility functions
Proper mocking of browser APIs (localStorage, window)
Edge cases well covered (SSR, errors, URL parameters)
Clear test descriptions and organization

Security: ⭐⭐⭐

Proper OAuth PKCE implementation
Token validation with expiry checking
Secure credential handling via environment variables
XSS protection through React's built-in escaping
Auth error handling is comprehensive

Documentation: ⭐⭐⭐

Excellent white-labeling guides (694 lines in WHITE_LABELING_GUIDE.md)
Clear logo customization quick start (171 lines)
Detailed analytics re-implementation guide (737 lines)
Comprehensive changelog (478 lines)

Architecture: ⭐⭐

Clean separation of concerns
Well-designed brand configuration system
Proper error handling with ErrorLogger utility
Component-based logo system with fallbacks

🔍 Verification Checks Performed

I verified the following aspects of the implementation:

✅ Correctness

All 5 critical fixes properly implemented
Error handling paths all lead to proper cleanup
Auth flows correctly handle edge cases
MobX reactivity patterns correct

✅ React/TypeScript Best Practices

Proper use of useCallback with correct dependencies
Type safety improved (interface instead of any)
Observer pattern correctly applied
Hooks follow React guidelines

✅ Performance

Memory leak fixed (no stale subscriptions)
Proper useMemo usage in CoreStoreProvider
No expensive operations in render paths
WebSocket subscriptions properly cleaned up

✅ Security

No XSS vulnerabilities found
OAuth implementation secure (PKCE, token validation)
Secrets properly managed via env vars
Auth state properly cleaned up on errors

✅ Test Coverage

New utility functions have comprehensive tests
Edge cases covered (SSR, localStorage errors, URL params)
Analytics tests removed appropriately (analytics infrastructure removed)
Net change: -925 test lines (acceptable given analytics removal)

📝 Post-Merge Recommendations (Optional)

These can be addressed in follow-up PRs:

Re-enable pre-commit hooks - Create issue with timeline for fixing underlying lint/type errors
Complete popup functionality - Either finish the integration or create tracking issue
Bundle size analysis - Run npm run build:analyze to quantify bundle reduction from analytics removal
Token expiry buffer - Consider 5-minute buffer before actual token expiry for edge cases
Update brand config - Replace placeholder values (YourBrand, etc.) before production deployment

🎯 Conclusion

This PR successfully implements a robust white-labeling infrastructure with:

✅ Excellent documentation for future maintainers
✅ All critical issues from previous review resolved
✅ Comprehensive test coverage for new utilities
✅ Clean architecture with proper error handling
✅ Secure OAuth/PKCE implementation
✅ No blocking security issues

The two minor issues (disabled hooks and TODO comment) are non-blocking and appropriate for follow-up work.

Final Verdict: ✅ APPROVED FOR MERGE

chore: code refactoring for whit-labeling

05e107b

chore: remove analytics instances

497e04f

deriv-com deleted a comment from claude bot Feb 9, 2026

ahmed-deriv added 2 commits February 9, 2026 16:05

chore: brand config modifications for whit-labeling

ff3cd4c

chore: logo and settings config added

43ad66f

deriv-com deleted a comment from claude bot Feb 10, 2026

deriv-com deleted a comment from cloudflare-workers-and-pages bot Feb 10, 2026

deriv-com deleted a comment from claude bot Feb 10, 2026

chore: resolve critical issues

1c8e57c

deriv-com deleted a comment from claude bot Feb 10, 2026

chore: move docs to migration-docs

ce9f10c

deriv-com deleted a comment from claude bot Feb 10, 2026

ahmed-deriv merged commit 4c0e417 into master Feb 10, 2026
5 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: code refactoring for whit-labeling #15

chore: code refactoring for whit-labeling #15

Uh oh!

ahmed-deriv commented Feb 9, 2026

Uh oh!

github-actions bot commented Feb 9, 2026 •

edited

Loading

Uh oh!

cloudflare-workers-and-pages bot commented Feb 10, 2026 •

edited

Loading

Uh oh!

claude bot commented Feb 10, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

chore: code refactoring for whit-labeling #15

chore: code refactoring for whit-labeling #15

Uh oh!

Conversation

ahmed-deriv commented Feb 9, 2026

Uh oh!

github-actions bot commented Feb 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

OpenSSF Scorecard

Scanned Manifest Files

Uh oh!

cloudflare-workers-and-pages bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Deploying dbot-reference with Cloudflare Pages

Uh oh!

claude bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ PR Review Complete - All Critical Issues Resolved

📊 Final Assessment

🟡 Remaining Minor Issues

✨ Code Quality Highlights

🔍 Verification Checks Performed

📝 Post-Merge Recommendations (Optional)

🎯 Conclusion

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

github-actions bot commented Feb 9, 2026 •

edited

Loading

cloudflare-workers-and-pages bot commented Feb 10, 2026 •

edited

Loading

claude bot commented Feb 10, 2026 •

edited

Loading