[DependOnMe] Critical security fix - 1 issue(s)

[dependonme-deriv]

Bulk Security Fix

This pull request was automatically generated by DependOnMe to fix 1 critical security issue(s).

Issues Fixed

• Critical: 1
• High: 0
• Medium: 0
• Low: 0

Files Modified

• package.json

AI Summary

Fixed 1 security issue:

CVE-2026-9277 — shell-quote ≤ 1.8.3: quote() does not escape newlines in object .op values

• What was changed: Added "shell-quote": "^1.8.4" to both the overrides section (npm) and the resolutions section (yarn/berry) in package.json.
• Why: shell-quote is a transitive dependency (not a direct dependency). The vulnerability allows injection of newline characters via object .op values in the quote() function, which could enable command injection in contexts where shell-quote is used to construct shell commands.
• Approach chosen: Override/resolution approach was used because shell-quote is a transitive dependency that may be pulled in by multiple packages (e.g., webpack-dev-server, cross-env, or other build tools). Identifying and upgrading every root package that transitively depends on it would be fragile and potentially introduce other breaking changes. A single override is the safest and most targeted fix.
• Breaking changes: None. This is a patch version bump (1.8.3 → 1.8.4). The fix only adds newline escaping to the quote() function with no API changes.

⚠️ Risk Assessment:

• Low Risk: Patch version update (1.8.3 → 1.8.4) with no breaking changes. The fix adds newline escaping in quote() — purely additive security hardening with no API surface changes.

🧪 Testing Checklist:

• Run npm install to regenerate package-lock.json with the overridden version
• Verify node_modules/shell-quote/package.json shows version 1.8.4 or higher after install
• Run full test suite: npm test
• Verify build succeeds: npm run build
• Run npm run start to confirm dev server starts correctly
• Confirm no regressions in shell-quoting behavior (build scripts, cross-env usage)

🔧 Manual Steps Required:

1. After applying the fix, run npm install (or npm ci in CI) to regenerate the lock file with the patched shell-quote version.
2. Verify the resolved version: npm ls shell-quote — all instances should show 1.8.4 or higher.

---

This PR was created by DependOnMe - Automated Security Issue Management

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@sinonjs/commons	1.8.6	🟢 3.4	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/17 approved changesets -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@sinonjs/formatio	3.2.2	⚠️ 2.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Code-Review ⚠️ 2 Found 2/9 approved changesets -- score normalized to 2 Token-Permissions ⚠️ -1 No tokens found Maintained ⚠️ 0 project is archived Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@sinonjs/samsam	3.3.3	🟢 5.7	Details Check Score Reason Maintained 🟢 10 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/16 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@sinonjs/text-encoding	0.7.3	Unknown	Unknown
npm/array-from	2.1.1	Unknown	Unknown
npm/assertion-error	1.1.0	🟢 4.7	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 7 Found 20/26 approved changesets -- score normalized to 7 Pinned-Dependencies 🟢 10 all dependencies are pinned Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/chai	4.5.0	🟢 6.8	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 29 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 3/6 approved changesets -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/check-error	1.0.3	🟢 5	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 7 Found 17/23 approved changesets -- score normalized to 7 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/deep-eql	4.1.4	🟢 4.3	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 5 Found 15/26 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/diff	3.5.1	🟢 3.5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 0/28 approved changesets -- score normalized to 0 Dangerous-Workflow ⚠️ -1 no workflows found Maintained 🟢 10 10 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/get-func-name	2.0.2	🟢 5.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Code-Review 🟢 6 Found 9/14 approved changesets -- score normalized to 6 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/has-flag	3.0.0	🟢 3.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review ⚠️ 1 Found 4/22 approved changesets -- score normalized to 1 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/isarray	0.0.1	🟢 6.9	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/just-extend	4.2.1	🟢 4.2	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/lolex	4.2.0	🟢 5.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 5/27 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/lolex	5.1.2	🟢 5.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 5/27 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/loupe	2.3.7	🟢 5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 3 Found 1/3 approved changesets -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Maintained 🟢 10 13 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/nise	1.5.3	🟢 5.3	Details Check Score Reason Code-Review ⚠️ 0 Found 1/20 approved changesets -- score normalized to 0 Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/path-to-regexp	1.9.0	🟢 7.6	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 26 out of 26 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 5 found 12 unreviewed changesets out of 29 -- score normalized to 5 Contributors 🟢 10 25 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 16 commit(s) out of 30 and 3 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 no vulnerabilities detected
npm/pathval	1.1.1	🟢 5.1	Details Check Score Reason Code-Review 🟢 8 Found 8/10 approved changesets -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/sinon	7.5.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 3 Found 8/23 approved changesets -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Security-Policy ⚠️ 0 security policy file not detected License 🟢 9 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 6 SAST tool is not run on all commits -- score normalized to 6
npm/supports-color	5.5.0	🟢 3.9	Details Check Score Reason Code-Review 🟢 4 Found 12/30 approved changesets -- score normalized to 4 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/type-detect	4.0.8	🟢 4.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 13/14 approved changesets -- score normalized to 9 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/type-detect	4.1.0	🟢 4.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 13/14 approved changesets -- score normalized to 9 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Manifest Files

package-lock.json

• @sinonjs/commons@1.8.6
• @sinonjs/formatio@3.2.2
• @sinonjs/samsam@3.3.3
• @sinonjs/text-encoding@0.7.3
• array-from@2.1.1
• assertion-error@1.1.0
• chai@4.5.0
• check-error@1.0.3
• deep-eql@4.1.4
• diff@3.5.1
• get-func-name@2.0.2
• has-flag@3.0.0
• just-extend@4.2.1
• lolex@4.2.0
• lolex@5.1.2
• loupe@2.3.7
• nise@1.5.3
• path-to-regexp@1.9.0
• pathval@1.1.1
• shell-quote@1.8.4
• sinon@7.5.0
• supports-color@5.5.0
• type-detect@4.0.8
• type-detect@4.1.0
• @colors/colors@1.5.0
• @octokit/auth-token@6.0.0
• @octokit/core@7.0.2
• @octokit/endpoint@11.0.0
• @octokit/graphql@9.0.1
• @octokit/openapi-types@25.1.0
• @octokit/plugin-paginate-rest@13.0.1
• @octokit/plugin-retry@8.0.1
• @octokit/plugin-throttling@11.0.1
• @octokit/request@10.0.2
• @octokit/request-error@7.0.0
• @octokit/types@14.1.0
• @sec-ant/readable-stream@0.4.1
• @semantic-release/commit-analyzer@13.0.1
• @semantic-release/github@11.0.3
• @semantic-release/npm@12.0.1
• @semantic-release/release-notes-generator@14.0.3
• @sindresorhus/is@4.6.0
• @sindresorhus/merge-streams@4.0.0
• @sinonjs/commons@1.8.6
• @sinonjs/formatio@3.2.2
• @sinonjs/samsam@3.3.3
• @sinonjs/text-encoding@0.7.3
• ansi-escapes@7.0.0
• ansi-regex@6.1.0
• any-promise@1.3.0
• argv-formatter@1.0.0
• array-from@2.1.1
• assertion-error@1.1.0
• before-after-hook@4.0.0
• chai@4.5.0
• chalk@5.4.1
• char-regex@1.0.2
• check-error@1.0.3
• cli-highlight@2.1.11
• cli-table3@0.6.5
• conventional-changelog-angular@8.0.0
• conventional-changelog-writer@8.1.0
• conventional-commits-filter@5.0.0
• conventional-commits-parser@6.1.0
• convert-hrtime@5.0.0
• deep-eql@4.1.4
• diff@3.5.1
• duplexer2@0.1.4
• emojilib@2.4.0
• env-ci@11.2.0
• environment@1.1.0
• execa@9.6.0
• fast-content-type-parse@3.0.0
• figures@6.1.0
• figures@2.0.0
• find-up@2.1.0
• find-versions@6.0.0
• fs-extra@11.3.0
• function-timeout@1.0.2
• get-func-name@2.0.2
• get-stream@9.0.1
• get-stream@6.0.1
• git-log-parser@1.2.1
• globby@14.1.0
• has-flag@3.0.0
• highlight.js@10.7.3
• hook-std@3.0.0
• human-signals@8.0.1
• ignore@7.0.5
• import-fresh@3.3.1
• import-from-esm@2.0.0
• index-to-position@1.1.0
• is-plain-obj@4.1.0
• is-stream@4.0.1
• is-unicode-supported@2.1.0
• isarray@0.0.1
• issue-parser@7.0.1
• java-properties@1.0.2
• just-extend@4.2.1
• load-json-file@4.0.0
• locate-path@2.0.0
• lolex@4.2.0
• lolex@5.1.2
• loupe@2.3.7
• marked@15.0.12
• marked-terminal@7.3.0
• meow@13.2.0
• mime@4.0.7
• mz@2.7.0
• nise@1.5.3
• node-emoji@2.2.0
• npm-run-path@6.0.0
• p-each-series@3.0.0
• p-limit@1.3.0
• p-locate@2.0.0
• p-reduce@3.0.0
• p-try@1.0.0
• parse-ms@4.0.0
• parse5@5.1.1
• parse5@6.0.1
• parse5-htmlparser2-tree-adapter@6.0.1
• path-to-regexp@1.9.0
• path-type@6.0.0
• pathval@1.1.1
• pify@3.0.0
• pkg-conf@2.1.0
• pretty-ms@9.2.0
• read-package-up@11.0.0
• semantic-release@24.2.5
• semver@7.7.2
• semver-diff@4.0.0
• semver-regex@4.0.5
• shell-quote@1.8.1
• signale@1.4.0
• sinon@7.5.0
• skin-tone@2.0.0
• spawn-error-forwarder@1.0.0
• split2@1.0.0
• stream-combiner2@1.1.1
• strip-final-newline@4.0.0
• super-regex@1.0.0
• supports-color@5.5.0
• supports-hyperlinks@3.2.0
• thenify@3.3.1
• thenify-all@1.6.0
• through2@2.0.5
• time-span@5.1.0
• type-detect@4.0.8
• type-detect@4.1.0
• unicode-emoji-modifier-base@1.0.0
• unicorn-magic@0.3.0
• universal-user-agent@7.0.3
• yoctocolors@2.1.1