Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade playwright from 1.42.1 to 1.45.0 #4

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade playwright from 1.42.1 to 1.45.0 #4

wants to merge 1 commit into from

Conversation

eryn-muetzel
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade playwright from 1.42.1 to 1.45.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 157 versions ahead of your current version.

  • The recommended version was released on 22 days ago.

Release notes
Package name: playwright
  • 1.45.0 - 2024-06-24

    Clock

    Utilizing the new Clock API allows to manipulate and control time within tests to verify time-related behavior. This API covers many common scenarios, including:

    • testing with predefined time;
    • keeping consistent time and timers;
    • monitoring inactivity;
    • ticking through time manually.
    // Initialize clock and let the page load naturally.
    await page.clock.install({ time: new Date('2024-02-02T08:00:00') });
    await page.goto('http://localhost:3333');

    // Pretend that the user closed the laptop lid and opened it again at 10am,
    // Pause the time once reached that point.
    await page.clock.pauseAt(new Date('2024-02-02T10:00:00'));

    // Assert the page state.
    await expect(page.getByTestId('current-time')).toHaveText('2/2/2024, 10:00:00 AM');

    // Close the laptop lid again and open it at 10:30am.
    await page.clock.fastForward('30:00');
    await expect(page.getByTestId('current-time')).toHaveText('2/2/2024, 10:30:00 AM');

    See the clock guide for more details.

    Test runner

    • New CLI option --fail-on-flaky-tests that sets exit code to 1 upon any flaky tests. Note that by default, the test runner exits with code 0 when all failed tests recovered upon a retry. With this option, the test run will fail in such case.

    • New enviroment variable PLAYWRIGHT_FORCE_TTY controls whether built-in list, line and dot reporters assume a live terminal. For example, this could be useful to disable tty behavior when your CI environment does not handle ANSI control sequences well. Alternatively, you can enable tty behavior even when to live terminal is present, if you plan to post-process the output and handle control sequences.

      # Avoid TTY features that output ANSI control sequences
      PLAYWRIGHT_FORCE_TTY=0 npx playwright test

      # Enable TTY features, assuming a terminal width 80
      PLAYWRIGHT_FORCE_TTY=80 npx playwright test

    • New options testConfig.respectGitIgnore and testProject.respectGitIgnore control whether files matching .gitignore patterns are excluded when searching for tests.

    • New property timeout is now available for custom expect matchers. This property takes into account playwright.config.ts and expect.configure().

      import { expect as baseExpect } from '@ playwright/test';

      export const expect = baseExpect.extend({
      async toHaveAmount(locator: Locator, expected: number, options?: { timeout?: number }) {
      // When no timeout option is specified, use the config timeout.
      const timeout = options?.timeout ?? this.timeout;
      // ... implement the assertion ...
      },
      });

    Miscellaneous

    • Method locator.setInputFiles() now supports uploading a directory for <input type=file webkitdirectory> elements.

      await page.getByLabel('Upload directory').setInputFiles(path.join(__dirname, 'mydir'));

    • Multiple methods like locator.click() or locator.press() now support a ControlOrMeta modifier key. This key maps to Meta on macOS and maps to Control on Windows and Linux.

      // Press the common keyboard shortcut Control+S or Meta+S to trigger a "Save" operation.
await page.keyboard.press('ControlOrMeta+S');

    • New property httpCredentials.send in apiRequest.newContext() that allows to either always send the Authorization header or only send it in response to 401 Unauthorized.

    • New option reason in apiRequestContext.dispose() that will be included in the error message of ongoing operations interrupted by the context disposal.

    • New option host in browserType.launchServer() allows to accept websocket connections on a specific address instead of unspecified 0.0.0.0.

    • Playwright now supports Chromium, Firefox and WebKit on Ubuntu 24.04.

    • v1.45 is the last release to receive WebKit update for macOS 12 Monterey. Please update macOS to keep using the latest WebKit.

    Browser Versions

    • Chromium 127.0.6533.5
    • Mozilla Firefox 127.0
    • WebKit 17.4

    This version was also tested against the following stable channels:

    • Google Chrome 126
    • Microsoft Edge 126
  • 1.45.0-beta-1719854491000 - 2024-07-01
  • 1.45.0-beta-1719819889000 - 2024-07-01
  • 1.45.0-beta-1719505820000 - 2024-06-27
  • 1.45.0-beta-1719443776000 - 2024-06-26
  • 1.45.0-beta-1719257069000 - 2024-06-24
  • 1.45.0-beta-1719257053000 - 2024-06-24
  • 1.45.0-beta-1719253817000 - 2024-06-24
  • 1.45.0-beta-1718972438000 - 2024-06-21
  • 1.45.0-beta-1718813530000 - 2024-06-19
  • 1.45.0-beta-1718782041000 - 2024-06-19
  • 1.45.0-beta-1718733727000 - 2024-06-18
  • 1.45.0-beta-1718419432000 - 2024-06-15
  • 1.45.0-beta-1718411373000 - 2024-06-15
  • 1.45.0-alpha-2024-06-15 - 2024-06-15
  • 1.45.0-alpha-2024-06-14 - 2024-06-14
  • 1.45.0-alpha-2024-06-13 - 2024-06-13
  • 1.45.0-alpha-2024-06-12 - 2024-06-12
  • 1.45.0-alpha-2024-06-11 - 2024-06-11
  • 1.45.0-alpha-2024-06-10 - 2024-06-10
  • 1.45.0-alpha-2024-06-09 - 2024-06-09
  • 1.45.0-alpha-2024-06-08 - 2024-06-08
  • 1.45.0-alpha-2024-06-07 - 2024-06-07
  • 1.45.0-alpha-2024-06-06 - 2024-06-06
  • 1.45.0-alpha-2024-06-05 - 2024-06-05
  • 1.45.0-alpha-2024-06-04 - 2024-06-04
  • 1.45.0-alpha-2024-06-03 - 2024-06-03
  • 1.45.0-alpha-2024-06-02 - 2024-06-02
  • 1.45.0-alpha-2024-06-01 - 2024-06-01
  • 1.45.0-alpha-2024-05-31 - 2024-05-31
  • 1.45.0-alpha-2024-05-30 - 2024-05-30
  • 1.45.0-alpha-2024-05-29 - 2024-05-29
  • 1.45.0-alpha-2024-05-28 - 2024-05-28
  • 1.45.0-alpha-2024-05-27 - 2024-05-27
  • 1.45.0-alpha-2024-05-26 - 2024-05-26
  • 1.45.0-alpha-2024-05-25 - 2024-05-25
  • 1.45.0-alpha-2024-05-24 - 2024-05-24
  • 1.45.0-alpha-2024-05-23 - 2024-05-23
  • 1.45.0-alpha-2024-05-22 - 2024-05-22
  • 1.45.0-alpha-2024-05-21 - 2024-05-21
  • 1.45.0-alpha-2024-05-20 - 2024-05-20
  • 1.45.0-alpha-2024-05-19 - 2024-05-19
  • 1.45.0-alpha-2024-05-18 - 2024-05-18
  • 1.45.0-alpha-2024-05-17 - 2024-05-17
  • 1.45.0-alpha-2024-05-16 - 2024-05-16
  • 1.45.0-alpha-2024-05-15 - 2024-05-15
  • 1.45.0-alpha-2024-05-14 - 2024-05-14
  • 1.45.0-alpha-2024-05-13 - 2024-05-13
  • 1.45.0-alpha-2024-05-12 - 2024-05-12
  • 1.45.0-alpha-2024-05-11 - 2024-05-11
  • 1.45.0-alpha-2024-05-10 - 2024-05-10
  • 1.45.0-alpha-2024-05-09 - 2024-05-09
  • 1.45.0-alpha-2024-05-08 - 2024-05-08
  • 1.45.0-alpha-2024-05-07 - 2024-05-07
  • 1.45.0-alpha-2024-05-06 - 2024-05-06
  • 1.45.0-alpha-2024-04-30 - 2024-04-30
  • 1.45.0-alpha-1716491102000 - 2024-05-23
  • 1.45.0-alpha-1714760563000 - 2024-05-06
  • 1.44.1 - 2024-05-23

    Highlights

    #30779 - [REGRESSION]: When using video: 'on' with VSCode extension the browser got closed
    #30755 - [REGRESSION]: Electron launch with spaces inside executablePath didn't work
    #30770 - [REGRESSION]: Mask elements outside of viewport when creating fullscreen screenshots didn't work
    #30858 - [REGRESSION]: ipv6 got shown instead of localhost in show-trace/show-report

    Browser Versions

    • Chromium 125.0.6422.14
    • Mozilla Firefox 125.0.1
    • WebKit 17.4

    This version was also tested against the following stable channels:

    • Google Chrome 124
    • Microsoft Edge 124
  • 1.44.1-beta-1716453231000 - 2024-05-23
  • 1.44.1-beta-1716449392000 - 2024-05-23
  • 1.44.0 - 2024-05-06

    New APIs

    Accessibility assertions

    • expect(locator).toHaveAccessibleName() checks if the element has the specified accessible name:

      const locator = page.getByRole('button');
await expect(locator).toHaveAccessibleName('Submit');

    • expect(locator).toHaveAccessibleDescription() checks if the element has the specified accessible description:

      const locator = page.getByRole('button');
await expect(locator).toHaveAccessibleDescription('Upload a photo');

    • expect(locator).toHaveRole() checks if the element has the specified ARIA role:

      const locator = page.getByTestId('save-button');
await expect(locator).toHaveRole('button');

    Locator handler

    • After executing the handler added with page.addLocatorHandler(), Playwright will now wait until the overlay that triggered the handler is not visible anymore. You can opt-out of this behavior with the new noWaitAfter option.
    • You can use new times option in page.addLocatorHandler() to specify maximum number of times the handler should be run.
    • The handler in page.addLocatorHandler() now accepts the locator as argument.
    • New page.removeLocatorHandler() method for removing previously added locator handlers.
    const locator = page.getByText('This interstitial covers the button');
await page.addLocatorHandler(locator, async overlay => {
  await overlay.locator('#close').click();
}, { times: 3, noWaitAfter: true });
// Run your tests that can be interrupted by the overlay.
// ...
await page.removeLocatorHandler(locator);

    Miscellaneous options

    • multipart option in apiRequestContext.fetch() now accepts FormData and supports repeating fields with the same name.

      const formData = new FormData();
formData.append('file', new File(['let x = 2024;'], 'f1.js', { type: 'text/javascript' }));
formData.append('file', new File(['hello'], 'f2.txt', { type: 'text/plain' }));
context.request.post('https://example.com/uploadFiles', {
  multipart: formData
});

    • expect(callback).toPass({ intervals }) can now be configured by expect.toPass.inervals option globally in testConfig.expect or per project in testProject.expect.

    • expect(page).toHaveURL(url) now supports ignoreCase option.

    • testProject.ignoreSnapshots allows to configure per project whether to skip screenshot expectations.

    Reporter API

    • New method suite.entries() returns child test suites and test cases in their declaration order. suite.type and testCase.type can be used to tell apart test cases and suites in the list.
    • Blob reporter now allows overriding report file path with a single option outputFile. The same option can also be specified as PLAYWRIGHT_BLOB_OUTPUT_FILE environment variable that might be more convenient on CI/CD.
    • JUnit reporter now supports includeProjectInTestName option.

    Command line

    • --last-failed CLI option for running only tests that failed in the previous run.

      First run all tests:

      test

      Running 103 tests using 5 workers
      ...
      2 failed
      [chromium] › my-test.spec.ts:8:5 › two ─────────────────────────────────────────────────────────
      [chromium] › my-test.spec.ts:13:5 › three ──────────────────────────────────────────────────────
      101 passed (30.0s)

      Now fix the failing tests and run Playwright again with --last-failed option:

      test --last-failed

      Running 2 tests using 2 workers
      2 passed (1.2s)

    Browser Versions

    • Chromium 125.0.6422.14
    • Mozilla Firefox 125.0.1
    • WebKit 17.4

    This version was also tested against the following stable channels:

    • Google Chrome 124
    • Microsoft Edge 124
  • 1.44.0-beta-1716306049000 - 2024-05-21
  • 1.44.0-beta-1716285871000 - 2024-05-21
  • 1.44.0-beta-1715802478000 - 2024-05-15
  • 1.44.0-beta-1715791608000 - 2024-05-15
  • 1.44.0-beta-1715706051000 - 2024-05-14
  • 1.44.0-beta-1715189091000 - 2024-05-08
  • 1.44.0-beta-1715020014000 - 2024-05-06
  • 1.44.0-beta-1715018865000 - 2024-05-06
  • 1.44.0-beta-1714753004000 - 2024-05-06
  • 1.44.0-beta-1714435420000 - 2024-04-30
  • 1.44.0-beta-1714434520000 - 2024-04-29
  • 1.44.0-alpha-2024-04-29 - 2024-04-29
  • 1.44.0-alpha-2024-04-28 - 2024-04-28
  • 1.44.0-alpha-2024-04-27 - 2024-04-27
  • 1.44.0-alpha-2024-04-26 - 2024-04-26
  • 1.44.0-alpha-2024-04-25 - 2024-04-25
  • 1.44.0-alpha-2024-04-24 - 2024-04-24
  • 1.44.0-alpha-2024-04-23 - 2024-04-23
  • 1.44.0-alpha-2024-04-22 - 2024-04-22
  • 1.44.0-alpha-2024-04-19 - 2024-04-19
  • 1.44.0-alpha-2024-04-18 - 2024-04-18
  • 1.44.0-alpha-2024-04-17 - 2024-04-17
  • 1.44.0-alpha-2024-04-16 - 2024-04-16
  • 1.44.0-alpha-2024-04-15 - 2024-04-15
  • 1.44.0-alpha-2024-04-14 - 2024-04-14
  • 1.44.0-alpha-2024-04-13 - 2024-04-13
  • 1.44.0-alpha-2024-04-12 - 2024-04-12
  • 1.44.0-alpha-2024-04-11 - 2024-04-11
  • 1.44.0-alpha-2024-04-10 - 2024-04-10
  • 1.44.0-alpha-2024-04-09 - 2024-04-09
  • 1.44.0-alpha-2024-04-08 - 2024-04-08
  • 1.44.0-alpha-2024-04-07 - 2024-04-07
  • 1.44.0-alpha-2024-04-06 - 2024-04-06
  • 1.44.0-alpha-2024-04-05 - 2024-04-05
  • 1.44.0-alpha-2024-04-04 - 2024-04-04
  • 1.44.0-alpha-2024-04-03 - 2024-04-03
  • 1.44.0-alpha-2024-04-02 - 2024-04-02
  • 1.44.0-alpha-2024-04-01 - 2024-04-01
  • 1.44.0-alpha-2024-03-31 - 2024-03-31
  • 1.44.0-alpha-2024-03-30 - 2024-03-30
  • 1.44.0-alpha-2024-03-29 - 2024-03-29
  • 1.44.0-alpha-2024-03-28 - 2024-03-28
  • 1.44.0-alpha-2024-03-27 - 2024-03-27
  • 1.44.0-alpha-1714168971000 - 2024-04-26
  • 1.44.0-alpha-1711994091000 - 2024-04-01
  • 1.43.1 - 2024-04-12

    Highlights

    #30300 - [REGRESSION]: UI mode restarts if keep storage state
    #30339 - [REGRESSION]: Brand new install of playwright, unable to run chromium with show browser using vscode

    Browser Versions

    • Chromium 124.0.6367.29
    • Mozilla Firefox 124.0
    • WebKit 17.4

    This version was also tested against the following stable channels:

    • Google Chrome 123
    • Microsoft Edge 123
  • 1.43.1-beta-1712942342000 - 2024-04-12
  • 1.43.0 - 2024-04-04

    New APIs

    • Method browserContext.clearCookies() now supports filters to remove only some cookies.

      // Clear all cookies.
await context.clearCookies();
// New: clear cookies with a particular name.
await context.clearCookies({ name: 'session-id' });
// New: clear cookies for a particular domain.
await context.clearCookies({ domain: 'my-origin.com' });

    • New mode retain-on-first-failure for testOptions.trace. In this mode, trace is recorded for the first run of each test, but not for retires. When test run fails, the trace file is retained, otherwise it is removed.

      import { defineConfig } from '@ playwright/test';

      export default defineConfig({
      use: {
      trace: 'retain-on-first-failure',
      },
      });

    • New property testInfo.tags exposes test tags during test execution.

      test('example', async ({ page }) => {
  console.log(test.info().tags);
});

    • New method locator.contentFrame() converts a Locator object to a FrameLocator. This can be useful when you have a Locator object obtained somewhere, and later on would like to interact with the content inside the frame.

      const locator = page.locator('iframe[name="embedded"]');
// ...
const frameLocator = locator.contentFrame();
await frameLocator.getByRole('button').click();

    • New method frameLocator.owner() converts a FrameLocator object to a Locator. This can be useful when you have a FrameLocator object obtained somewhere, and later on would like to interact with the iframe element.

      const frameLocator = page.frameLocator('iframe[name="embedded"]');
// ...
const locator = frameLocator.owner();
await expect(locator).toBeVisible();

    UI Mode Updates

    Playwright UI Mode

    • See tags in the test list.
    • Filter by tags by typing @ fast or clicking on the tag itself.
    • New shortcuts:
      • F5 to run tests.
      • Shift F5 to stop running tests.
      • Ctrl ` to toggle test output.

    Browser Versions

    • Chromium 124.0.6367.29
    • Mozilla Firefox 124.0
    • WebKit 17.4

    This version was also tested against the following stable channels:

    • Google Chrome 123
    • Microsoft Edge 123
  • 1.43.0-beta-1712871607000 - 2024-04-11
  • 1.43.0-beta-1712860105000 - 2024-04-11
  • 1.43.0-beta-1712646596000 - 2024-04-09
  • 1.43.0-beta-1712258732000 - 2024-04-04
  • 1.43.0-beta-1712217576000 - 2024-04-04
  • 1.43.0-beta-1712173949000 - 2024-04-03
  • 1.43.0-beta-1712010778000 - 2024-04-01
  • 1.43.0-beta-1711849714000 - 2024-03-31
  • 1.43.0-beta-1711742093000 - 2024-03-29
  • 1.43.0-beta-1711653598000 - 2024-03-28
  • 1.43.0-beta-1711554436000 - 2024-03-27
  • 1.43.0-beta-1711493485000 - 2024-03-26
  • 1.43.0-beta-1711484700000 - 2024-03-26
  • 1.43.0-beta-1709675102000 - 2024-03-05
  • 1.43.0-alpha-2024-03-26 - 2024-03-26
  • 1.43.0-alpha-2024-03-25 - 2024-03-25
  • 1.43.0-alpha-2024-03-24 - 2024-03-24
  • 1.43.0-alpha-2024-03-23 - 2024-03-23
  • 1.43.0-alpha-2024-03-22 - 2024-03-22
  • 1.43.0-alpha-2024-03-21 - 2024-03-21
  • 1.43.0-alpha-2024-03-20 - 2024-03-20
  • 1.43.0-alpha-2024-03-19 - 2024-03-19
  • 1.43.0-alpha-2024-03-18 - 2024-03-18
  • 1.43.0-alpha-2024-03-17 - 2024-03-17
  • 1.43.0-alpha-2024-03-16 - 2024-03-16
  • 1.43.0-alpha-2024-03-15 - 2024-03-15
  • 1.43.0-alpha-2024-03-14 - 2024-03-14
  • 1.43.0-alpha-2024-03-13 - 2024-03-13
  • 1.43.0-alpha-2024-03-12 - 2024-03-12
  • 1.43.0-alpha-2024-03-11 - 2024-03-11
  • 1.43.0-alpha-2024-03-10 - 2024-03-10
  • 1.43.0-alpha-2024-03-09 - 2024-03-09
  • 1.43.0-alpha-2024-03-08 - 2024-03-08
  • 1.43.0-alpha-2024-03-07 - 2024-03-07
  • 1.43.0-alpha-2024-03-06 - 2024-03-06
  • 1.43.0-alpha-2024-03-05 - 2024-03-05
  • 1.43.0-alpha-2024-03-04 - 2024-03-04
  • 1.43.0-alpha-2024-03-03 - 2024-03-03
  • 1.43.0-alpha-2024-03-02 - 2024-03-02
  • 1.43.0-alpha-2024-03-01 - 2024-03-01
  • 1.43.0-alpha-2024-02-29 - 2024-02-29
  • 1.43.0-alpha-2024-02-28 - 2024-02-28
  • 1.43.0-alpha-1711470013000 - 2024-03-26
  • 1.43.0-alpha-1711027602000 - 2024-03-21
  • 1.43.0-alpha-1710520846000 - 2024-03-15
  • 1.43.0-alpha-1709847741000 - 2024-03-07
  • 1.43.0-alpha-1709823751000 - 2024-03-07
  • 1.42.1 - 2024-03-02

    Highlights

    #29732 - [Regression]: HEAD requests to webServer.url since v1.42.0
    #29746 - [Regression]: Playwright CT CLI scripts fail due to broken initializePlugin import
    #29739 - [Bug]: Component tests fails when imported a module with a dot in a name
    #29731 - [Regression]: 1.42.0 breaks some import statements
    #29760 - [Bug]: Possible regression with chained locators in v1.42

    Browser Versions

    • Chromium 123.0.6312.4
    • Mozilla Firefox 123.0
    • WebKit 17.4

    This version was also tested against the following stable channels:

    • Google Chrome 122
    • Microsoft Edge 123
from playwright GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade playwright from 1.42.1 to 1.45.0
360460d 
Snyk has created this PR to upgrade playwright from 1.42.1 to 1.45.0.

See this package in npm:
playwright

See this project in Snyk:
https://app.snyk.io/org/eryn-muetzel/project/0c5924b1-f0dd-47b6-9de1-8c9fb6f5c7cb?utm_source=github&utm_medium=referral&page=upgrade-pr
@stacklok-cloud Stacklok Cloud
Copy link

Minder Vulnerability Report ✅

Minder analyzed this PR and found no vulnerable dependencies.

Vulnerability scan of 360460d4:

  • 🐞 vulnerable packages: 0
  • 🛠 fixes available for: 0

1 similar comment
@stacklok-cloud-staging Stacklok Cloud (Staging)
Copy link

Minder Vulnerability Report ✅

Minder analyzed this PR and found no vulnerable dependencies.

Vulnerability scan of 360460d4:

  • 🐞 vulnerable packages: 0
  • 🛠 fixes available for: 0

@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher

🚮 Removed packages: npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected]

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: node ./bin/compute-project-graph
 🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@stacklok-cloud-staging Stacklok Cloud (Staging)
Copy link

⚠️ MALICIOUS PACKAGES ⚠️

Minder has detected that this pull request is introducing malicious software dependencies using data from Trusty:

Package Summary Details
fsevents Malicious code in fsevents (npm) This advisory is intended to inform the npm ecosystem with details to resolve a third-party malware incident that may have impacted your infrastructure if you are directly or transitively dependent on the fsevents npm package.


fsevents v1.0.0 <= v1.2.10 downloaded binary executables that contained unintended code due to an expired cloud storage resource being reclaimed by a third party.


The fsevents npm package v1.0.0 through v1.2.10 attempts to fetch a pre-built binary executable artifact (fse.node) from cloud storage. If this fetch fails, fsevents v1.x will attempt to build this artifact directly from source.

Version 1.x of fsevents has been deprecated for several years and as a result the aforementioned cloud storage resource namespace was available for registration. A third party, unrelated to the fsevents maintainers, subsequently claimed this namespace and in April 2023 this third party started serving modified versions of the “fse.node” binary executable artifact to new fsevents v1.x users.

As of April 27, 2023 the cloud storage resource in question has been indefinitely suspended and is no longer serving binaries.

The affected cloud storage pre-fetch was removed in fsevents version 1.2.11.


The impact of the modified versions of fse.node appears to be limited to information gathering.

Note that initial analysis was performed for the modified artifact associated with fsevents v1.2.9, which was distributed as fse-v1.2.9-node-v72-darwin-x64.tar.gz prior to the cloud storage resource being suspended.

For more detailed analysis you may compare a decompilation of the v1.x fse.node artifacts on your systems with the intended fsevents v1.x source as it exists at https://github.com/fsevents/fsevents/tree/v1.x


If you are dependent on the deprecated version of fsevents v1.x, the recommended course of action is to upgrade to fsevents v2.x or remove the dependency altogether as currently maintained versions of Node.js no longer require fsevents for file system watching on macOS.

Dependency Information

Minder analyzed the dependencies introduced in this pull request and detected that some dependencies do not meet your security profile.

📦 Dependency: @nrwl/nx-darwin-arm64

Trusty Score: 0

Scoring details
Component Score
Malicious false
Package activity 0
Provenance 0

📦 Dependency: @nrwl/nx-darwin-x64

Trusty Score: 0

Scoring details
Component Score
Malicious false
Package activity 0
Provenance 0

📦 Dependency: @nrwl/nx-linux-arm-gnueabihf

Trusty Score: 0

Scoring details
Component Score
Malicious false
Package activity 0
Provenance 0

📦 Dependency: @nrwl/nx-linux-arm64-gnu

Trusty Score: 0

Scoring details
Component Score
Malicious false
Package activity 0
Provenance 0

📦 Dependency: @nrwl/nx-linux-arm64-musl

Trusty Score: 0

Scoring details
Component Score
Malicious false
Package activity 0
Provenance 0

📦 Dependency: @nrwl/nx-linux-x64-gnu

Trusty Score: 0

Scoring details
Component Score
Malicious false
Package activity 0
Provenance 0

📦 Dependency: @nrwl/nx-linux-x64-musl

Trusty Score: 0

Scoring details
Component Score
Package activity 0
Provenance 0
Malicious false

📦 Dependency: @nrwl/nx-win32-arm64-msvc

Trusty Score: 0

Scoring details
Component Score
Malicious false
Package activity 0
Provenance 0

📦 Dependency: @nrwl/nx-win32-x64-msvc

Trusty Score: 0

Scoring details
Component Score
Malicious false
Package activity 0
Provenance 0

📦 Dependency: json-schema-traverse

Trusty Score: 4.8

Scoring details
Component Score
Malicious false
User activity 6.5
Repository activity 3.1
From activity
Package activity 4.8
Trust-summary 4.7
Provenance 8
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 9
Number of git tags or releases 8
Versions matched to tags or releases 5

@stacklok-cloud Stacklok Cloud
Copy link

⚠️ MALICIOUS PACKAGES ⚠️

Minder has detected that this pull request is introducing malicious software dependencies using data from Trusty:

Package Summary Details
fsevents Malicious code in fsevents (npm) This advisory is intended to inform the npm ecosystem with details to resolve a third-party malware incident that may have impacted your infrastructure if you are directly or transitively dependent on the fsevents npm package.


fsevents v1.0.0 <= v1.2.10 downloaded binary executables that contained unintended code due to an expired cloud storage resource being reclaimed by a third party.


The fsevents npm package v1.0.0 through v1.2.10 attempts to fetch a pre-built binary executable artifact (fse.node) from cloud storage. If this fetch fails, fsevents v1.x will attempt to build this artifact directly from source.

Version 1.x of fsevents has been deprecated for several years and as a result the aforementioned cloud storage resource namespace was available for registration. A third party, unrelated to the fsevents maintainers, subsequently claimed this namespace and in April 2023 this third party started serving modified versions of the “fse.node” binary executable artifact to new fsevents v1.x users.

As of April 27, 2023 the cloud storage resource in question has been indefinitely suspended and is no longer serving binaries.

The affected cloud storage pre-fetch was removed in fsevents version 1.2.11.


The impact of the modified versions of fse.node appears to be limited to information gathering.

Note that initial analysis was performed for the modified artifact associated with fsevents v1.2.9, which was distributed as fse-v1.2.9-node-v72-darwin-x64.tar.gz prior to the cloud storage resource being suspended.

For more detailed analysis you may compare a decompilation of the v1.x fse.node artifacts on your systems with the intended fsevents v1.x source as it exists at https://github.com/fsevents/fsevents/tree/v1.x


If you are dependent on the deprecated version of fsevents v1.x, the recommended course of action is to upgrade to fsevents v2.x or remove the dependency altogether as currently maintained versions of Node.js no longer require fsevents for file system watching on macOS.

Dependency Information

Minder analyzed the dependencies introduced in this pull request and detected that some dependencies do not meet your security profile.

📦 Dependency: @nrwl/cli

Trusty Score: 0

Scoring details
Component Score
Provenance_type unknown
Provenance 0
Trust-summary 6.3
From provenance
User activity 8.7
Repository activity 8.7
Package activity 8.7

📦 Dependency: @nrwl/nx-darwin-arm64

Trusty Score: 0

Scoring details
Component Score
Provenance_type unknown
Provenance 0
User activity 0
Repository activity 0
From activity
Package activity 0
Trust-summary 2.6

📦 Dependency: @nrwl/nx-darwin-x64

Trusty Score: 0

Scoring details
Component Score
Provenance_type unknown
Provenance 0
From activity
User activity 0
Repository activity 0
Package activity 0
Trust-summary 2.6

📦 Dependency: @nrwl/nx-linux-arm-gnueabihf

Trusty Score: 0

Scoring details
Component Score
Package activity 0
Trust-summary 2.6
Provenance_type unknown
Provenance 0
User activity 0
Repository activity 0
From activity

📦 Dependency: @nrwl/nx-linux-arm64-gnu

Trusty Score: 0

Scoring details
Component Score
From activity
User activity 0
Repository activity 0
Package activity 0
Trust-summary 2.7
Provenance_type unknown
Provenance 0

📦 Dependency: @nrwl/nx-linux-arm64-musl

Trusty Score: 0

Scoring details
Component Score
User activity 0
Repository activity 0
Package activity 0
Trust-summary 2.6
Provenance_type unknown
Provenance 0
From activity

📦 Dependency: @nrwl/nx-linux-x64-gnu

Trusty Score: 0

Scoring details
Component Score
Trust-summary 2.7
Provenance_type unknown
Provenance 0
User activity 0
Repository activity 0
From activity
Package activity 0

📦 Dependency: @nrwl/nx-linux-x64-musl

Trusty Score: 0

Scoring details
Component Score
Trust-summary 2.8
Provenance_type unknown
Provenance 0
From activity
User activity 0
Repository activity 0
Package activity 0

📦 Dependency: @nrwl/nx-win32-arm64-msvc

Trusty Score: 0

Scoring details
Component Score
Trust-summary 2.7
Provenance_type unknown
Provenance 0
From activity
User activity 0
Repository activity 0
Package activity 0

📦 Dependency: @nrwl/nx-win32-x64-msvc

Trusty Score: 0

Scoring details
Component Score
Provenance_type unknown
Provenance 0
From activity
User activity 0
Repository activity 0
Package activity 0
Trust-summary 2.6

📦 Dependency: @nrwl/tao

Trusty Score: 0

Scoring details
Component Score
Provenance_type verified_provenance_match
Provenance 0
User activity 8.7
Repository activity 8.7
From activity
Package activity 8.7
Trust-summary 9.3
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 1613
Number of git tags or releases 313
Versions matched to tags or releases 247

This package has been digitally signed using sigtore.
Source repository https://github.com/nrwl/nx
Cerificate Issuer CN=sigstore-intermediate,O=sigstore.dev
GitHub action workflow .github/workflows/publish.yml
Rekor (public ledger) entry https://search.sigstore.dev/?logIndex=137014867

📦 Dependency: @nrwl/workspace

Trusty Score: 0

Scoring details
Component Score
Package activity 8.7
Trust-summary 9.2
Provenance_type verified_provenance_match
Provenance 0
User activity 8.7
Repository activity 8.7
From activity
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 1645
Number of git tags or releases 313
Versions matched to tags or releases 247

This package has been digitally signed using sigtore.
Source repository https://github.com/nrwl/nx
Cerificate Issuer CN=sigstore-intermediate,O=sigstore.dev
GitHub action workflow .github/workflows/publish.yml
Rekor (public ledger) entry https://search.sigstore.dev/?logIndex=137014897

📦 Dependency: @parcel/watcher

Trusty Score: 0

Scoring details
Component Score
Provenance 0
User activity 8.4
Repository activity 4.8
From activity
Package activity 6.6
Trust-summary 5.2
Provenance_type historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 37
Number of git tags or releases 25
Versions matched to tags or releases 21

📦 Dependency: acorn

Trusty Score: 0

Scoring details
Component Score
Provenance_type historical_provenance_match
Provenance 0
From provenance
User activity 9.4
Repository activity 6.8
Package activity 8.1
Trust-summary 6.2
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 136
Number of git tags or releases 103
Versions matched to tags or releases 102

📦 Dependency: ajv

Trusty Score: 0

Scoring details
Component Score
Package activity 8
Provenance_type historical_provenance_match
Provenance 0
Trust-summary 7.4
User activity 8.5
Repository activity 7.6
From activity
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 357
Number of git tags or releases 121
Versions matched to tags or releases 100

📦 Dependency: ansi-styles

Trusty Score: 0

Scoring details
Component Score
Provenance_type historical_provenance_match
Provenance 0
User activity 10
Repository activity 3.7
From activity
Package activity 6.8
Trust-summary 5.3
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 28
Number of git tags or releases 27
Versions matched to tags or releases 26

📦 Dependency: babel-plugin-macros

Trusty Score: 0

Scoring details
Component Score
Repository activity 5.1
From activity
Package activity 7.3
Trust-summary 5
Provenance_type historical_provenance_match
Provenance 0
User activity 9.6
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 37
Number of git tags or releases 39
Versions matched to tags or releases 22

📦 Dependency: brace-expansion

Trusty Score: 0

Scoring details
Component Score
User activity 9.4
Repository activity 3.5
From activity
Package activity 6.5
Trust-summary 4.9
Provenance_type historical_provenance_match
Provenance 0
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 19
Number of git tags or releases 18
Versions matched to tags or releases 17

📦 Dependency: chalk

Trusty Score: 0

Scoring details
Component Score
Provenance 0
Trust-summary 5.6
User activity 9.9
Repository activity 6.4
From provenance
Package activity 8.2
Provenance_type historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 38
Number of git tags or releases 44
Versions matched to tags or releases 37

📦 Dependency: cliui

Trusty Score: 0

Scoring details
Component Score
Trust-summary 5.2
From activity
User activity 8.1
Repository activity 4.2
Package activity 6.2
Provenance_type historical_provenance_match
Provenance 0
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 25
Number of git tags or releases 39
Versions matched to tags or releases 24

📦 Dependency: cosmiconfig

Trusty Score: 0

Scoring details
Component Score
Package activity 6.8
Trust-summary 5.1
Provenance_type historical_provenance_match
Provenance 0
User activity 8.6
Repository activity 5.1
From activity
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 57
Number of git tags or releases 59
Versions matched to tags or releases 50

📦 Dependency: dotenv

Trusty Score: 0

Scoring details
Component Score
Provenance_type historical_provenance_match
Provenance 0
User activity 8.8
Repository activity 6.6
From activity
Package activity 7.7
Trust-summary 5.8
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 86
Number of git tags or releases 78
Versions matched to tags or releases 75

📦 Dependency: emoji-regex

Trusty Score: 0

Scoring details
Component Score
Provenance 0
Trust-summary 4.9
User activity 8.7
Repository activity 4.9
From activity
Package activity 6.8
Provenance_type historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 35
Number of git tags or releases 35
Versions matched to tags or releases 34

📦 Dependency: fast-glob

Trusty Score: 0

Scoring details
Component Score
Provenance_type historical_provenance_match
Provenance 0
Trust-summary 5.2
User activity 9.4
Repository activity 5.1
From activity
Package activity 7.2
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 43
Number of git tags or releases 40
Versions matched to tags or releases 37

📦 Dependency: fast-uri

Trusty Score: 0

Scoring details
Component Score
Repository activity 3.4
Package activity 5.9
Trust-summary 4.9
Provenance_type historical_provenance_match
Provenance 0
From activity
User activity 8.4
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 14
Number of git tags or releases 13
Versions matched to tags or releases 13

📦 Dependency: fs-extra

Trusty Score: 0

Scoring details
Component Score
Repository activity 6.5
From activity
Package activity 7.8
Trust-summary 6
Provenance_type historical_provenance_match
Provenance 0
User activity 9.2
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 96
Number of git tags or releases 89
Versions matched to tags or releases 89

📦 Dependency: glob

Trusty Score: 0

Scoring details
Component Score
Repository activity 6.1
From activity
Package activity 8
Provenance_type historical_provenance_match
Provenance 0
Trust-summary 6
User activity 10
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 170
Number of git tags or releases 112
Versions matched to tags or releases 108

📦 Dependency: has-flag

Trusty Score: 0

Scoring details
Component Score
Repository activity 2.7
Package activity 6.2
Trust-summary 4.2
Provenance_type historical_provenance_match
Provenance 0
From activity
User activity 9.6
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 6
Number of git tags or releases 5
Versions matched to tags or releases 5

📦 Dependency: json-schema-traverse

Trusty Score: 0

Scoring details
Component Score
Package activity 4.8
Provenance_type historical_provenance_match
Provenance 0
Trust-summary 4.4
From activity
User activity 6.5
Repository activity 3.1
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 9
Number of git tags or releases 8
Versions matched to tags or releases 5

📦 Dependency: minimatch

Trusty Score: 0

Scoring details
Component Score
Provenance 0
Trust-summary 5.7
User activity 9.3
Repository activity 5.3
From activity
Package activity 7.4
Provenance_type historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 110
Number of git tags or releases 104
Versions matched to tags or releases 101

📦 Dependency: nx

Trusty Score: 0

Scoring details
Component Score
Repository activity 8.7
From activity
Package activity 8.8
Trust-summary 9.4
Provenance_type verified_provenance_match
Provenance 0
User activity 8.9
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 1501
Number of git tags or releases 346
Versions matched to tags or releases 278

This package has been digitally signed using sigtore.
Source repository https://github.com/nrwl/nx
Cerificate Issuer CN=sigstore-intermediate,O=sigstore.dev
GitHub action workflow .github/workflows/publish.yml
Rekor (public ledger) entry https://search.sigstore.dev/?logIndex=149132471

📦 Dependency: playwright

Trusty Score: 0

Scoring details
Component Score
Trust-summary 10
Provenance_type verified_provenance_match
Provenance 0
User activity 9.5
Repository activity 10
From activity
Package activity 9.7
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 4660
Number of git tags or releases 125
Versions matched to tags or releases 98

This package has been digitally signed using sigtore.
Source repository https://github.com/microsoft/playwright
Cerificate Issuer CN=sigstore-intermediate,O=sigstore.dev
GitHub action workflow .github/workflows/publish_release_npm.yml
Rekor (public ledger) entry https://search.sigstore.dev/?logIndex=149571219

📦 Dependency: playwright-core

Trusty Score: 0

Scoring details
Component Score
Provenance_type verified_provenance_match
Provenance 0
User activity 9.5
Repository activity 10
From activity
Package activity 9.7
Trust-summary 10
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 4646
Number of git tags or releases 125
Versions matched to tags or releases 98

This package has been digitally signed using sigtore.
Source repository https://github.com/microsoft/playwright
Cerificate Issuer CN=sigstore-intermediate,O=sigstore.dev
GitHub action workflow .github/workflows/publish_release_npm.yml
Rekor (public ledger) entry https://search.sigstore.dev/?logIndex=149571274

📦 Dependency: rxjs

Trusty Score: 0

Scoring details
Component Score
User activity 9
Repository activity 8.7
From provenance
Package activity 8.9
Provenance_type historical_provenance_match
Provenance 0
Trust-summary 7.3
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 162
Number of git tags or releases 94
Versions matched to tags or releases 85

📦 Dependency: search-insights

Trusty Score: 0

Scoring details
Component Score
From activity
User activity 9.7
Repository activity 4.7
Package activity 7.2
Trust-summary 4.8
Provenance_type historical_provenance_match
Provenance 0
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 65
Number of git tags or releases 57
Versions matched to tags or releases 54

📦 Dependency: string-width

Trusty Score: 0

Scoring details
Component Score
Provenance 0
Trust-summary 5
From activity
User activity 9.8
Repository activity 4
Package activity 6.9
Provenance_type historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 24
Number of git tags or releases 23
Versions matched to tags or releases 23

📦 Dependency: supports-color

Trusty Score: 0

Scoring details
Component Score
Package activity 7.1
Provenance_type historical_provenance_match
Provenance 0
From activity
Trust-summary 5.2
User activity 10
Repository activity 4.2
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 50
Number of git tags or releases 57
Versions matched to tags or releases 49

📦 Dependency: tslib

Trusty Score: 0

Scoring details
Component Score
Provenance 0
Trust-summary 5.6
From activity
User activity 9.7
Repository activity 5.8
Package activity 7.8
Provenance_type historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 48
Number of git tags or releases 87
Versions matched to tags or releases 45

📦 Dependency: v8-compile-cache

Trusty Score: 0

Scoring details
Component Score
Trust-summary 4.6
Provenance_type historical_provenance_match
Provenance 0
User activity 7.7
Repository activity 4.1
From activity
Package activity 5.9
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 13
Number of git tags or releases 13
Versions matched to tags or releases 13

📦 Dependency: wrap-ansi

Trusty Score: 0

Scoring details
Component Score
User activity 9.7
Repository activity 3.3
Package activity 6.5
Provenance_type historical_provenance_match
Provenance 0
From activity
Trust-summary 4.7
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 20
Number of git tags or releases 18
Versions matched to tags or releases 18

@stacklok-cloud Stacklok Cloud
Copy link

stacklok-cloud bot commented Dec 2, 2024

⚠️ MALICIOUS PACKAGES ⚠️

Minder has detected that this pull request is introducing malicious software dependencies using data from Trusty:

Package Summary Details
fsevents Malicious code in fsevents (npm) This advisory is intended to inform the npm ecosystem with details to resolve a third-party malware incident that may have impacted your infrastructure if you are directly or transitively dependent on the fsevents npm package.


fsevents v1.0.0 <= v1.2.10 downloaded binary executables that contained unintended code due to an expired cloud storage resource being reclaimed by a third party.


The fsevents npm package v1.0.0 through v1.2.10 attempts to fetch a pre-built binary executable artifact (fse.node) from cloud storage. If this fetch fails, fsevents v1.x will attempt to build this artifact directly from source.

Version 1.x of fsevents has been deprecated for several years and as a result the aforementioned cloud storage resource namespace was available for registration. A third party, unrelated to the fsevents maintainers, subsequently claimed this namespace and in April 2023 this third party started serving modified versions of the “fse.node” binary executable artifact to new fsevents v1.x users.

As of April 27, 2023 the cloud storage resource in question has been indefinitely suspended and is no longer serving binaries.

The affected cloud storage pre-fetch was removed in fsevents version 1.2.11.


The impact of the modified versions of fse.node appears to be limited to information gathering.

Note that initial analysis was performed for the modified artifact associated with fsevents v1.2.9, which was distributed as fse-v1.2.9-node-v72-darwin-x64.tar.gz prior to the cloud storage resource being suspended.

For more detailed analysis you may compare a decompilation of the v1.x fse.node artifacts on your systems with the intended fsevents v1.x source as it exists at https://github.com/fsevents/fsevents/tree/v1.x


If you are dependent on the deprecated version of fsevents v1.x, the recommended course of action is to upgrade to fsevents v2.x or remove the dependency altogether as currently maintained versions of Node.js no longer require fsevents for file system watching on macOS.

Dependency Information

Minder analyzed the dependencies introduced in this pull request and detected that some dependencies do not meet your security profile.

📦 Dependency: @nrwl/cli

Trusty Score: 0

Scoring details
Component Score
Package activity 8.8
Repository activity 8.7
User activity 8.8
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 997
Number of git tags or releases 57
Versions matched to tags or releases 3
Alternatives
Package Score Description
@angular/cli 0
create-react-app 0

📦 Dependency: @nrwl/nx-darwin-arm64

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/nx-darwin-x64

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/nx-linux-arm-gnueabihf

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/nx-linux-arm64-gnu

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/nx-linux-arm64-musl

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/nx-linux-x64-gnu

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/nx-linux-x64-musl

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/nx-win32-arm64-msvc

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/nx-win32-x64-msvc

Trusty Score: 0

Scoring details
Component Score
Provenance unknown

📦 Dependency: @nrwl/tao

Trusty Score: 0

Scoring details
Component Score
Package activity 8.8
Repository activity 8.7
User activity 8.8
Provenance verified_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 1095
Number of git tags or releases 57
Versions matched to tags or releases 50

This package has been digitally signed using sigtore.
Source repository https://github.com/nrwl/nx
Cerificate Issuer CN=sigstore-intermediate,O=sigstore.dev
GitHub action workflow .github/workflows/publish.yml
Rekor (public ledger) entry https://search.sigstore.dev/?logIndex=137014867
Alternatives
Package Score Description
create-react-app 0
create-react-app 0

📦 Dependency: @nrwl/workspace

Trusty Score: 0

Scoring details
Component Score
Package activity 8.7
Repository activity 8.7
User activity 8.7
Provenance verified_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 1127
Number of git tags or releases 57
Versions matched to tags or releases 50

This package has been digitally signed using sigtore.
Source repository https://github.com/nrwl/nx
Cerificate Issuer CN=sigstore-intermediate,O=sigstore.dev
GitHub action workflow .github/workflows/publish.yml
Rekor (public ledger) entry https://search.sigstore.dev/?logIndex=137014897

📦 Dependency: @parcel/watcher

Trusty Score: 0

Scoring details
Component Score
Package activity 6.6
Repository activity 4.8
User activity 8.4
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 20
Number of git tags or releases 17
Versions matched to tags or releases 13
Alternatives
Package Score Description
chokidar 0
watchpack 0

📦 Dependency: acorn

Trusty Score: 0

Scoring details
Component Score
Package activity 8.1
Repository activity 6.8
User activity 9.4
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 107
Number of git tags or releases 73
Versions matched to tags or releases 72
Alternatives
Package Score Description
acorn-jsx 0
acorn-jsx 0
acorn-jsx 0

📦 Dependency: ajv

Trusty Score: 0

Scoring details
Component Score
Package activity 8.1
Repository activity 7.6
User activity 8.6
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 352
Number of git tags or releases 115
Versions matched to tags or releases 95
Alternatives
Package Score Description
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0
joi 0
jsonschema 0

📦 Dependency: ansi-styles

Trusty Score: 0

Scoring details
Component Score
Package activity 6.8
Repository activity 3.7
User activity 10
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 20
Number of git tags or releases 19
Versions matched to tags or releases 18
Alternatives
Package Score Description
chalk 0
colors 0
kleur 0
colorette 0
chalk 0
colors 0
kleur 0
colorette 0

📦 Dependency: babel-plugin-macros

Trusty Score: 0

Scoring details
Component Score
Package activity 7.3
Repository activity 5.1
User activity 9.6
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 34
Number of git tags or releases 36
Versions matched to tags or releases 19
Alternatives
Package Score Description
babel-plugin-preval 0

📦 Dependency: brace-expansion

Trusty Score: 0

Scoring details
Component Score
Package activity 6.5
Repository activity 3.5
User activity 9.4
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 15
Number of git tags or releases 13
Versions matched to tags or releases 13
Alternatives
Package Score Description
braces 0
expand-braces 0
expand-range 0
braces 0
expand-braces 0
expand-range 0

📦 Dependency: chalk

Trusty Score: 0

Scoring details
Component Score
Package activity 8.2
Repository activity 6.4
User activity 9.9
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 31
Number of git tags or releases 38
Versions matched to tags or releases 31
Alternatives
Package Score Description
colors 0
kleur 0
colorette 0
ansi-colors 0
colors 0
kleur 0
colorette 0
ansi-colors 0

📦 Dependency: cliui

Trusty Score: 0

Scoring details
Component Score
Package activity 6.2
Repository activity 4.2
User activity 8.2
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 23
Number of git tags or releases 35
Versions matched to tags or releases 22
Alternatives
Package Score Description
blessed-contrib 0
ink 0
react-blessed 0
blessed-contrib 0
ink 0
react-blessed 0

📦 Dependency: cosmiconfig

Trusty Score: 0

Scoring details
Component Score
Package activity 6.8
Repository activity 5.1
User activity 8.6
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 36
Number of git tags or releases 32
Versions matched to tags or releases 32
Alternatives
Package Score Description
confit 0
find-config 0
confit 0
find-config 0

📦 Dependency: dotenv

Trusty Score: 0

Scoring details
Component Score
Package activity 7.7
Repository activity 6.6
User activity 8.8
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 47
Number of git tags or releases 39
Versions matched to tags or releases 37
Alternatives
Package Score Description
dotenv-webpack 0
dotenv-cli 0
dotenv-safe 0
dotenv-webpack 0
dotenv-cli 0
dotenv-safe 0

📦 Dependency: emoji-regex

Trusty Score: 0

Scoring details
Component Score
Package activity 6.8
Repository activity 4.9
User activity 8.7
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 23
Number of git tags or releases 22
Versions matched to tags or releases 22
Alternatives
Package Score Description
emojibase 0
emojibase 0

📦 Dependency: fast-glob

Trusty Score: 0

Scoring details
Component Score
Package activity 7
Repository activity 5.1
User activity 8.9
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 35
Number of git tags or releases 31
Versions matched to tags or releases 29
Alternatives
Package Score Description
glob 0
fs-extra 0
globby 0
micromatch 0
glob-stream 0
find-up 0
glob-parent 0
glob-fs 0
glob 0
fs-extra 0
globby 0
micromatch 0
glob-stream 0
find-up 0
glob-parent 0
glob-fs 0

📦 Dependency: fast-uri

Trusty Score: 0

Scoring details
Component Score
Package activity 5.9
Repository activity 3.4
User activity 8.4
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 12
Number of git tags or releases 11
Versions matched to tags or releases 11
Alternatives
Package Score Description
uri-js 0

📦 Dependency: fs-extra

Trusty Score: 0

Scoring details
Component Score
Package activity 7.8
Repository activity 6.5
User activity 9.2
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 96
Number of git tags or releases 89
Versions matched to tags or releases 89
Alternatives
Package Score Description
rimraf 0
graceful-fs 0
fs-jetpack 0
rimraf 0
graceful-fs 0
fs-jetpack 0

📦 Dependency: glob

Trusty Score: 0

Alternatives
Package Score Description
rimraf 0
minimatch 0
fast-glob 0
glob-stream 0
glob-parent 0
node-glob 0
rimraf 0
minimatch 0
fast-glob 0
glob-stream 0
glob-parent 0
node-glob 0

📦 Dependency: has-flag

Trusty Score: 0

Scoring details
Component Score
Package activity 6.2
Repository activity 2.7
User activity 9.6
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 4
Number of git tags or releases 3
Versions matched to tags or releases 3
Alternatives
Package Score Description
arg 0
yargs-parser 0
minimist 0
arg 0
yargs-parser 0
minimist 0

📦 Dependency: json-schema-traverse

Trusty Score: 0

Scoring details
Component Score
Package activity 4.8
Repository activity 3.1
User activity 6.5
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 9
Number of git tags or releases 8
Versions matched to tags or releases 5
Alternatives
Package Score Description
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0
ajv 0
swagger-parser 0

📦 Dependency: minimatch

Trusty Score: 0

Scoring details
Component Score
Package activity 7.4
Repository activity 5.4
User activity 9.3
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 42
Number of git tags or releases 36
Versions matched to tags or releases 33
Alternatives
Package Score Description
glob 0
micromatch 0
braces 0
picomatch 0
minimatch-all 0
glob 0
micromatch 0
braces 0
picomatch 0
minimatch-all 0

📦 Dependency: nx

Trusty Score: 0

Scoring details
Component Score
Package activity 8.8
Repository activity 8.7
User activity 8.8
Provenance verified_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 875
Number of git tags or releases 57
Versions matched to tags or releases 50

This package has been digitally signed using sigtore.
Source repository https://github.com/nrwl/nx
Cerificate Issuer CN=sigstore-intermediate,O=sigstore.dev
GitHub action workflow .github/workflows/publish.yml
Rekor (public ledger) entry https://search.sigstore.dev/?logIndex=152325964
Alternatives
Package Score Description
@nrwl/cli 0
@nrwl/cli 0

📦 Dependency: playwright

Trusty Score: 0

Alternatives
Package Score Description
puppeteer 0
selenium-webdriver 0
cypress 0
puppeteer 0
selenium-webdriver 0
cypress 0

📦 Dependency: playwright-core

Trusty Score: 0

Alternatives
Package Score Description
puppeteer 0
selenium-webdriver 0
webdriverio 0
puppeteer 0
selenium-webdriver 0
webdriverio 0

📦 Dependency: rxjs

Trusty Score: 0

Scoring details
Component Score
Package activity 8.9
Repository activity 8.7
User activity 9
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 128
Number of git tags or releases 60
Versions matched to tags or releases 53
Alternatives
Package Score Description
async 0
bluebird 0
rsvp 0
promise 0
lodash 0

📦 Dependency: search-insights

Trusty Score: 0

Scoring details
Component Score
Package activity 7.2
Repository activity 4.7
User activity 9.7
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 57
Number of git tags or releases 49
Versions matched to tags or releases 46
Alternatives
Package Score Description
algoliasearch 0

📦 Dependency: string-width

Trusty Score: 0

Scoring details
Component Score
Package activity 6.9
Repository activity 4
User activity 9.8
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 16
Number of git tags or releases 16
Versions matched to tags or releases 16
Alternatives
Package Score Description
string-length 0
wide-align 0
string-length 0
wide-align 0

📦 Dependency: supports-color

Trusty Score: 0

Scoring details
Component Score
Package activity 7.1
Repository activity 4.2
User activity 9.9
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 36
Number of git tags or releases 43
Versions matched to tags or releases 35
Alternatives
Package Score Description
chalk 0
colors 0
kleur 0
chalk 0
colors 0
kleur 0

📦 Dependency: tslib

Trusty Score: 0

Scoring details
Component Score
Package activity 7.8
Repository activity 5.8
User activity 9.7
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 30
Number of git tags or releases 56
Versions matched to tags or releases 27
Alternatives
Package Score Description
ts-toolbelt 0
ts-helpers 0

📦 Dependency: v8-compile-cache

Trusty Score: 0

Scoring details
Component Score
Package activity 5.9
Repository activity 4.1
User activity 7.7
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 12
Number of git tags or releases 12
Versions matched to tags or releases 12

📦 Dependency: wrap-ansi

Trusty Score: 0

Scoring details
Component Score
Package activity 6.5
Repository activity 3.3
User activity 9.7
Provenance historical_provenance_match
Proof of Origin (Provenance)

This package can be linked back to its source code using a historical provenance map.

We were able to correlate a significant number of git tags and tagged releases in this package’s source code to versions of the published package. This mapping creates a strong link from the package back to its source code repository, verifying proof of origin.
Published package versions 16
Number of git tags or releases 14
Versions matched to tags or releases 14
Alternatives
Package Score Description
chalk 0
ansi-styles 0
ansi-escapes 0
chalk 0
ansi-styles 0
ansi-escapes 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eryn-muetzel @snyk-bot