The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Found 3 instances in 3 packages

Non-existent author

Supply chain risk

The package was published by an npm account that no longer exists.

Found 2 instances in 2 packages

Medium CVE

Vulnerability

Contains a medium severity Common Vulnerability and Exposure (CVE).

Found 4 instances in 3 packages

Network access

Supply chain risk

This module accesses the network.

Found 2 instances in 2 packages

Wildcard dependency

Quality

Package has a dependency with a floating version range. This can cause issues if the dependency publishes a new major version.

Found 2 instances in 2 packages

Unmaintained

Maintenance

Package has not been updated in more than 5 years and may be unmaintained. Problems with the package may go unaddressed.

Found 5 instances in 5 packages

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 3 instances in 3 packages

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 2 instances in 2 packages

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 4 instances in 4 packages

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 4 instances in 4 packages

Low CVE

Vulnerability

Contains a low severity Common Vulnerability and Exposure (CVE).

Found 4 instances in 3 packages

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 2 instances in 2 packages