Issues
AI detected security risk
AI has determined that this package may contain potential security issues or vulnerabilities
Git dependency
Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
HTTP dependency
Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.
Known Malware
This package is malware. We have asked npm to remove it.
Potential typo squat
Package name is similar to other popular packages and may not be the package you want.
Unpublished package
Package version was not found on the registry. It may exist on a different registry and need to be configured to pull from that registry.
Bidirectional unicode control characters
Source files contain bidirectional unicode control characters. This could indicate a Trojan source supply chain attack. See: trojansource.codes for more information.
Bin script confusion
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Bin script shell injection
This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack
GitHub dependency
Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Install scripts
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Invisible chars
Source files contain invisible characters. This could indicate source obfuscation or a supply chain attack.
Non-existent author
The package was published by an npm account that no longer exists.
Obfuscated code
Obfuscated files are intentionally packed to hide their behavior. This could be a sign of malware
Obfuscated require
Package accesses dynamic properties of require and may be obfuscating code execution.
Protestware/Troll package
This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.
Suspicious strings
This package contains suspicious text patterns which are commonly associated with bad behavior
Telemetry
This package contains telemetry which tracks you.
Unstable ownership
A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.
Zero width unicode chars
Package files contain zero width unicode characters. This could indicate a supply chain attack.
AI warning
AI has found some unusual behaviors which could indicate a security risk
Empty package
Package does not contain any code. It may be removed, is name squatting, or the result of a faulty package publish.
Major refactor
Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Native code
Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
Network access
This module accesses the network.
New author
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Semver anomaly
Package semver skipped several versions, this could indicate a dependency confusion attack or indicate the intention of disruptive breaking changes or major priority shifts for the project.
Shell access
This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Trivial Package
Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.
Uses eval
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Chronological version anomaly
Semantic versions published out of chronological order.
Debug access
Uses debug, reflection and dynamic code execution features.
Dynamic require
Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Environment variable access
Package accesses environment variables, which may be a sign of credential stuffing or data theft.
Filesystem access
Accesses the file system, and could potentially read sensitive data.
High entropy strings
Contains high entropy strings. This could be a sign of encrypted data, leaked secrets or obfuscated code.
Long strings
Contains long string literals, which may be a sign of obfuscated or packed code.
No repository
Package does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.
Unused dependency
Package has unused dependencies. This package depends on code that it does not use. This can increase the attack surface for malware and slow down installation.
URL strings
Package contains fragments of external URLs or IP addresses, which may indicate that it covertly exfiltrates data.
Invalid package.json
Package has an invalid package.json and can cause installation problems if you try to use it.
Missing package tarball
This package is missing it's tarball. It could be removed from the npm registry or there may have been an error when publishing.
Unresolved require
Package imports a file which does not exist and may not work as is. It could also be importing a file that will be created at runtime which could be a vector for running malicious code.
Uncaught optional dependency
Package uses an optional dependency without handling a missing dependency exception. If you install it without the optional dependencies then it could cause runtime errors.
Bad semver
Package version is not a valid semantic version (semver).
Bad text encoding
Source files are encoded using a non-standard text encoding.
Extraneous dependency
Package optionally loads a dependency which is not specified within any of the package.json dependency fields. It may inadvertently be importing dependencies specified by other packages.
Missing dependency
A required dependency is not declared in package.json and may prevent the package from working.
No README
Package does not have a README. This may indicate a failed publish or a low quality package.
Unicode homoglyphs
Contains unicode homoglyphs which can be used in supply chain confusion attacks.
Bad dependency semver
Package has dependencies with an invalid semantic version. This could be a sign of beta, low quality, or unmaintained dependencies.
CommonJS depending on ESModule
Package is CommonJS, but has a dependency which is type: "module". The two are likely incompatible.
File dependency
Contains a dependency which resolves to a file. This can obfuscate analysis and serves no useful purpose.
Minified code
This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code.
No tests
Package does not have any tests. This is a strong signal of a poorly maintained or low quality package.
No v1
Package is not semver >=1. This means it is not stable and does not support ^ ranges.
No website
Package does not have a website.
Peer dependency
Package specifies peer dependencies in package.json.
Deprecated
The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.
No bug tracker
Package does not have a linked bug tracker in package.json.
No contributors or author data
Package does not specify a list of contributors or an author in package.json.
Unmaintained
Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.
Critical CVE
Contains a Critical Common Vulnerability and Exposure (CVE).
CVE
Contains a high severity Common Vulnerability and Exposure (CVE).
Mild CVE
Contains a low severity Common Vulnerability and Exposure (CVE).
Deprecated license
(Experimental) License is deprecated which may have legal implications regarding the package's use.
Deprecated SPDX exception
(Experimental) Contains a known deprecated SPDX license exception.
Legal notice
(Experimental) Package contains a legal notice. This could increase your exposure to legal risk when using this project.
License change
(Experimental) Package license has recently changed.
License exception
(Experimental) Contains an SPDX license exception.
Missing license
(Experimental) Package does not have a license and consumption legal status is unknown.
Mixed license
(Experimental) Package contains multiple licenses.
Modified license
(Experimental) Package contains a modified version of an SPDX license. Please read carefully before using this code.
Modified license exception
(Experimental) Package contains a modified version of an SPDX license exception. Please read carefully before using this code.
Non OSI license
(Experimental) Package has a non-OSI-approved license.
Non SPDX license
(Experimental) Package contains a non-standard license somewhere. Please read carefully before using.
Unclear license
Package contains a reference to a license without a matching LICENSE file.
Unsafe copyright
(Experimental) Package contains a copyright but no license. Using this package may expose you to legal risk.