yrobla
commented
5 months ago testing:
🐻 Trusty Dependency Analysis Action Report
🔴 Failed Dependencies Summary
| Name | Trusty Score | Malicious | Archived | Deprecated |
|---|---|---|---|---|
| bugsnagmw | 0.00 | :x: | :white_check_mark: | :white_check_mark: |
| scriptoni | 4.40 | :white_check_mark: | :x: | :x: |
| notifyjs | 5.70 | :white_check_mark: | :x: | :white_check_mark: |
🟢 Successful Dependencies Summary
| Name | Trusty Score |
|---|---|
| next | 9.30 |
| react | 8.00 |
Detailed Information for Failed Dependencies
bugsnagmw |
0.00 | |
| ⚠ Malicious (This package is marked as Malicious. Proceed with extreme caution!) | :x: |
Trusty Score: 0.00 :x:
| Category | Score | Passed | | --- | --- | --- | | Repo activity | `0.00` | :x: | | Author activity | `0.00` | :x: | | Provenance | `5.00` | :white_check_mark: | | Typosquatting | `10.00` | :white_check_mark: |
Proof of origin (Provenance)
| | | | --- | --- | | Number of versions | 0 | | Number of Git Tags/Releases | 0 | | Number of versions matched to Git Tags/Releases | 0 | [Learn more about source of origin provenance](https://docs.stacklok.com/trusty/understand/provenance)
Alternative Packages 💡
| Package | Score | Trusty Link | | ------- | ----- | ---------- | | `rollbar` | `5.70` | [`rollbar`](https://www.trustypkg.dev/npm/rollbar) |
scriptoni |
4.40 | |
| ⚠ Deprecated (This package is marked as Deprecated. Proceed with caution!) | :x: | |
| ⚠ Archived (This package is marked as Archived. Proceed with caution!) | :x: |
Trusty Score: 4.40 :x:
| Category | Score | Passed | | --- | --- | --- | | Repo activity | `2.70` | :x: | | Author activity | `6.20` | :white_check_mark: | | Provenance | `8.00` | :white_check_mark: | | Typosquatting | `10.00` | :white_check_mark: |
Proof of origin (Provenance)
| | | | --- | --- | | Number of versions | 100 | | Number of Git Tags/Releases | 96 | | Number of versions matched to Git Tags/Releases | 90 | [Learn more about source of origin provenance](https://docs.stacklok.com/trusty/understand/provenance)
Alternative Packages 💡
| Package | Score | Trusty Link | | ------- | ----- | ---------- | | `create-react-app` | `8.00` | [`create-react-app`](https://www.trustypkg.dev/npm/create-react-app) | | `react-app-rewired` | `7.20` | [`react-app-rewired`](https://www.trustypkg.dev/npm/react-app-rewired) | | `react-scripts` | `5.00` | [`react-scripts`](https://www.trustypkg.dev/npm/react-scripts) | | `craco` | `3.50` | [`craco`](https://www.trustypkg.dev/npm/craco) |
notifyjs |
5.70 | |
| ⚠ Archived (This package is marked as Archived. Proceed with caution!) | :x: |
Trusty Score: 5.70 :white_check_mark:
| Category | Score | Passed | | --- | --- | --- | | Repo activity | `5.00` | :white_check_mark: | | Author activity | `6.50` | :white_check_mark: | | Provenance | `8.00` | :white_check_mark: | | Typosquatting | `10.00` | :white_check_mark: |
Proof of origin (Provenance)
| | | | --- | --- | | Number of versions | 16 | | Number of Git Tags/Releases | 16 | | Number of versions matched to Git Tags/Releases | 13 | [Learn more about source of origin provenance](https://docs.stacklok.com/trusty/understand/provenance)
Alternative Packages 💡
| Package | Score | Trusty Link | | ------- | ----- | ---------- | | `node-notifier` | `7.10` | [`node-notifier`](https://www.trustypkg.dev/npm/node-notifier) |
Detailed Information for Successful Dependencies
next |
9.30 |  |
Trusty Score: 9.30 :white_check_mark:
| Category | Score | Passed | | --- | --- | --- | | Repo activity | `10.00` | :white_check_mark: | | Author activity | `8.60` | :white_check_mark: | | Provenance | `10.00` | :white_check_mark: | | Typosquatting | `10.00` | :white_check_mark: |
Proof of origin (Provenance)
Built and signed with sigstore using GitHub Actions.
| | | | --- | --- | | Source repo | https://github.com/vercel/next.js | | Github Action Workflow | .github/workflows/build_and_deploy.yml | | Issuer | CN=sigstore-intermediate,O=sigstore.dev | | Rekor Public Ledger | https://search.sigstore.dev/?logIndex=88381843 | [Learn more about source of origin provenance](https://docs.stacklok.com/trusty/understand/provenance)
Alternative Packages 💡
| Package | Score | Trusty Link | | ------- | ----- | ---------- | | `http-proxy` | `8.00` | [`http-proxy`](https://www.trustypkg.dev/npm/http-proxy) | | `react-router` | `8.00` | [`react-router`](https://www.trustypkg.dev/npm/react-router) | | `vue-router` | `5.00` | [`vue-router`](https://www.trustypkg.dev/npm/vue-router) | | `react-router-dom` | `5.00` | [`react-router-dom`](https://www.trustypkg.dev/npm/react-router-dom) |
react |
8.00 |
Trusty Score: 8.00 :white_check_mark:
| Category | Score | Passed | | --- | --- | --- | | Repo activity | `10.00` | :white_check_mark: | | Author activity | `8.20` | :white_check_mark: | | Provenance | `8.00` | :white_check_mark: | | Typosquatting | `10.00` | :white_check_mark: |
Proof of origin (Provenance)
| | | | --- | --- | | Number of versions | 1756 | | Number of Git Tags/Releases | 136 | | Number of versions matched to Git Tags/Releases | 69 | [Learn more about source of origin provenance](https://docs.stacklok.com/trusty/understand/provenance)
Alternative Packages 💡
| Package | Score | Trusty Link | | ------- | ----- | ---------- | | `styled-components` | `8.00` | [`styled-components`](https://www.trustypkg.dev/npm/styled-components) | | `vue` | `8.00` | [`vue`](https://www.trustypkg.dev/npm/vue) | | `svelte` | `8.00` | [`svelte`](https://www.trustypkg.dev/npm/svelte) | | `preact` | `7.80` | [`preact`](https://www.trustypkg.dev/npm/preact) | | `inferno` | `7.50` | [`inferno`](https://www.trustypkg.dev/npm/inferno) |
🌟 If you like this action, why not try out Minder, the secure supply chain platform. It has vastly more protections and is also free (as in :beer:) to opensource projects.
Currently the report is expanded all the time. It can be difficult to read if there are hundreds of dependencies. We can have an initial summary table with the failure/success, then expanded on demand.