The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.
Package does not contain any code. It may be removed, is name squatting, or the result of a faulty package publish.
This package is malware. We have asked npm to remove it.
This package is a joke. You should not use it in production.
Bidirectional unicode control characters
Source files contain bidirectional unicode control characters. This could indicate a Trojan source supply chain attack. See: trojansource.code for more information.
Bin script confusion
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Bin script shell injection
This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack
Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Source files contain invisible characters. This could indicate source obfuscation or a supply chain attack.
Package accesses dynamic properties of require and may be obfuscating code execution.
Potential typo squat
Package name is similar to other popular packages and may not be the package you want.
This package contains suspicious text patterns which are commonly associated with bad behavior
This package contains telemetry which tracks you.
Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.
A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.
Zero width unicode chars
Package files contain zero width unicode characters. This could indicate a supply chain attack.
Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
This module accesses the network.
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Package does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.
Package semver skipped several versions, this could indicate a dependency confusion attack or indicate the intention of disruptive breaking changes or major priority shifts for the project.
This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Chronological version anomaly
Semantic versions published out of chronological order.
Uses debug, reflection and dynamic code execution features.
Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Environment variable access
Package accesses environment variables, which may be a sign of credential stuffing or data theft.
Accesses the file system, and could potentially read sensitive data.
High entropy strings
Contains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code.
The package was published by an npm account that no longer exists.
Package has unused dependencies. This package depends on code that it does not use. This can increase the attack surface for malware and slow down installation.
Package contains fragments of external URLs or IP addresses, which may indicate that it covertly exfiltrates data.
Package has an invalid package.json and can cause installation problems if you try to use it.
A required dependency is not declared in package.json and may prevent the package from working.
Package imports a file which does not exist and may not work as is. It could also be importing a file that will be created at runtime which could be a vector for running malicious code.
CommonJS depending on ESModule
Package is CommonJS, but has a dependency which is type: two are likely incompatible.
Package does not have a README. This may indicate a failed publish or a low quality package.
Uncaught optional dependency
Package uses an optional dependency without handling a missing dependency exception. If you install it without the optional dependencies then it could cause runtime errors.
Package version is not a valid semantic version (semver).
Bad text encoding
Source files are encoded using a non-standard text encoding.
Package optionally loads a dependency which is not specified within any of the package.json dependency fields. It may inadvertently be importing dependencies specified by other packages.
Package does not have any tests. This is a strong signal of a poorly maintained or low quality package.
Contains unicode homoglyphs which can be used in supply chain confusion attacks.
Bad dependency semver
Package has dependencies with an invalid semantic version. This could be a sign of beta, low quality, or unmaintained dependencies.
Contains a dependency which resolves to a file. This can obfuscate analysis and serves no useful purpose.
Package is not semver >=1. This means it is not stable and does not support ^ ranges.
Package does not have a website.
Package specifies peer dependencies in package.json.
Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.
Contains long string literals, which may be a sign of obfuscated or packed code.
No bug tracker
Package does not have a linked bug tracker in package.json.
No contributors or author data
Package does not specify a list of contributors or an author in package.json.
Package contains a copyright but no license. Using this package may expose you to legal risk.
License is deprecated which may have legal implications regarding the package's use.
Deprecated SPDX exception
Contains a known deprecated SPDX license exception.
Package license has recently changed.
Package does not have a license and consumption legal status is unknown.
Non SPDX license
Package contains a non-standard license somewhere. Please read carefully before using.
Package contains multiple licenses.
Modified license exception
Package contains a modified version of an SPDX license exception. Please read carefully before using this code.
Non OSI license
Package has a non-OSI-approved license.
Package contains a reference to a license without a matching LICENSE file.
Package contains a legal notice. This could increase your exposure to legal risk when using this project.
Contains an SPDX license exception.
Package contains a modified version of an SPDX license. Please read carefully before using this code.