Severity
High
Description
Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Suggestion
Publish the GitHub dependency to npm or a private package repository and consume it from there.
Packages with this alert
Ethereum JavaScript API, middleware to talk to a ethereum node over RPC
a web UI for doing nodeschool adventures in the browser
Learn how to build adventuretron workshops with an adventuretron workshop!
aegir dev-cli packaged as tiny, minified, single-file bundle
decrypt aes-128 content using a key
> `aframe-core` has merged into [aframe dev branch](https://github.com/aframevr/aframe/tree/dev) and all development has moved to the [aframe repo](https://github.com/aframevr/aframe). This repository will be removed later.
A web framework for building virtual reality experiences. (CHANGES: force aframe to use a custom canvas)