Severity
High
Description
Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Suggestion
Publish the GitHub dependency to npm or a private package repository and consume it from there.
Packages with this alert
IPC Server that provides communication between isolated AceBase processes using the same database files, such as local pm2 and cloud-based clusters.
Elasticsearch backend for acl
Modular ActivityPub implementation as Express middleware to easily add decentralization and federation to Node apps