Severity
High
Description
Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Suggestion
Publish the GitHub dependency to npm or a private package repository and consume it from there.
Packages with this alert
A node/iojs library & CLI for HTML_Codesniffer
High performance Node.js webserver with a simple-to-use API powered by uWebsockets.js under the hood.
A web framework for building virtual reality experiences. (CHANGES: force aframe to use a custom canvas)
This is a little daemon that can retrieve an audio stream via TCP socket or from a Alsa Loopback device and stream it to Airplay/Airtunes compatible receivers. Via Web UI or MQTT you can control the receivers volume and enable/disable the receivers.