Severity
High
Description
Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.
Suggestion
Publish the GitHub dependency to npm or a private package repository and consume it from there.
Packages with this alert
Physics system for A-Frame VR, built on Cannon.js
Simple AgensGraph web UI client that easy to run and use
This is a little daemon that can retrieve an audio stream via TCP socket or from a Alsa Loopback device and stream it to Airplay/Airtunes compatible receivers. Via Web UI or MQTT you can control the receivers volume and enable/disable the receivers.