add a version

[therealnb]

No description provided.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

Vulnerabilities

pom.xml

Name	Version	Vulnerability	Severity
org.springframework.boot:spring-boot-starter-web	2.5.4	Remote Code Execution in Spring Framework	critical

License Issues

package.json

Package	Version	License	Issue Type
bugsnagmw	1.0.3	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/github.com/ThreeDotsLabs/watermill	1.3.5	🟢 4.4	Details Check Score Reason Code-Review 🟢 4 Found 14/30 approved changesets -- score normalized to 4 Maintained 🟢 10 11 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
gomod/github.com/alexdrl/zerowater	0.0.3	Unknown	Unknown
npm/bugsnagmw	1.0.3	Unknown	Unknown
npm/got	^14.2.1	🟢 5.9	Details Check Score Reason Code-Review 🟢 3 Found 11/30 approved changesets -- score normalized to 3 Maintained 🟢 7 5 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/jest	^29.7.1	Unknown	Unknown
npm/octokit	^3.1.3	🟢 7.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 24 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4
npm/@octokit/request-error	^5.0.1	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 25 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5
npm/@types/jest	^29.5.12	🟢 6.9	Details Check Score Reason Code-Review 🟢 8 Found 24/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/ansi-styles	^6.2.1	🟢 4.3	Details Check Score Reason Code-Review 🟢 3 Found 11/30 approved changesets -- score normalized to 3 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/bluebird	^3.7.2	⚠️ 1.8	Details Check Score Reason Code-Review 🟢 3 Found 9/26 approved changesets -- score normalized to 3 Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 43 existing vulnerabilities detected
npm/got	^14.2.0	🟢 5.9	Details Check Score Reason Code-Review 🟢 3 Found 11/30 approved changesets -- score normalized to 3 Maintained 🟢 7 5 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 10 no binaries found in the repo Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/jest	^29.7.0	Unknown	Unknown
npm/octokit	^3.1.2	🟢 7.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 24 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4
maven/org.springframework.boot:spring-boot-starter-web	2.5.4	🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 26 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 no SAST tool detected Fuzzing 🟢 10 project is fuzzed Binary-Artifacts 🟢 5 binaries present in source code Vulnerabilities 🟢 7 3 existing vulnerabilities detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3
maven/org.springframework.boot:spring-boot-maven-plugin		🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 26 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 no SAST tool detected Fuzzing 🟢 10 project is fuzzed Binary-Artifacts 🟢 5 binaries present in source code Vulnerabilities 🟢 7 3 existing vulnerabilities detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3
maven/org.springframework.boot:spring-boot-starter-security	2.5.4	🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 26 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 no SAST tool detected Fuzzing 🟢 10 project is fuzzed Binary-Artifacts 🟢 5 binaries present in source code Vulnerabilities 🟢 7 3 existing vulnerabilities detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3
pip/Authlib	1.3.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 6 Found 12/19 approved changesets -- score normalized to 6 Maintained 🟢 10 14 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
pip/boto3	1.34.102	🟢 7.9	Details Check Score Reason Code-Review ⚠️ 0 Found 2/28 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 10 all dependencies are pinned Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits
pip/google-cloud-storage	2.16.0	🟢 8.1	Details Check Score Reason Maintained 🟢 10 18 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Token-Permissions ⚠️ -1 No tokens found Dangerous-Workflow ⚠️ -1 no workflows found Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing 🟢 10 project is fuzzed Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 8 2 existing vulnerabilities detected
pip/pyarrow	16.0.0	Unknown	Unknown
pip/slowapi	0.1.9	Unknown	Unknown
pip/uvicorn	0.29.1	🟢 6.3	Details Check Score Reason Maintained 🟢 10 19 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 24/27 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0

Trusty Scores

❌ 1 malicious packages found. ❌ 1 fails found. ⚠️ 2 warnings found. Expand to learn more.

Trusty is a free service that helps developers evaluate the risk profile of open-source packages. Packages are rated 0 to 10 with higher ratings indicating safer packages. Learn how.

	Dependency	Version	Score	Warnings
Added	bugsnagmw	1.0.3	❌ 0	❌ Malicious	activity 0 malicious true provenance 5 typosquatting 10 activity_user 0 activity_repo 0
Added	github.com/alexdrl/zerowater	0.0.3	⚠️ 1.4		activity 1.4 malicious false provenance 10 typosquatting 10 activity_user 1.9 activity_repo 1
Updated	octokit	^3.1.3	⚠️ 5		activity 7 malicious false provenance 10 typosquatting 5 activity_user 7.3 activity_repo 6.7
		^3.1.2	⚠️ 5		activity 7 malicious false provenance 10 typosquatting 5 activity_user 7.3 activity_repo 6.7
Added	Authlib	1.3.0	⚠️ 5		activity 6.8 malicious false provenance 8 typosquatting 5 activity_user 6.9 activity_repo 6.6
Added	slowapi	0.1.9	✅ 5.8		activity 5.8 malicious false provenance 8 typosquatting 10 activity_user 6.8 activity_repo 4.8
Added	github.com/ThreeDotsLabs/watermill	1.3.5	✅ 6		activity 6 malicious false provenance 10 typosquatting 10 activity_user 5.4 activity_repo 6.5
Added	google-cloud-storage	2.16.0	✅ 6.2		activity 6.2 malicious false provenance 8 typosquatting 10 activity_user 6.5 activity_repo 5.8
Added	uvicorn	0.29.1	✅ 6.6		activity 6.6 malicious false provenance 8 typosquatting 10 activity_user 6.5 activity_repo 6.8
Updated	got	^14.2.1	✅ 7.1		activity 7.1 malicious false provenance 8 typosquatting 10 activity_user 6.8 activity_repo 7.4
		^14.2.0	✅ 7.1		activity 7.1 malicious false provenance 8 typosquatting 10 activity_user 6.8 activity_repo 7.4
Added	boto3	1.34.102	✅ 7.6		activity 7.6 malicious false provenance 8 typosquatting 8 activity_user 7.4 activity_repo 7.8
Updated	jest	^29.7.1	✅ 8		activity 8.8 malicious false provenance 8 typosquatting 10 activity_user 8.3 activity_repo 9.4
		^29.7.0	✅ 8		activity 8.8 malicious false provenance 8 typosquatting 10 activity_user 8.3 activity_repo 9.4
Added	org.springframework.boot:spring-boot-starter-web	2.5.4	✅ 8		activity 8.8 malicious false provenance 8 typosquatting 10 activity_user 7.5 activity_repo 10
Added	org.springframework.boot:spring-boot-maven-plugin		✅ 8		activity 8.8 malicious false provenance 8 typosquatting 10 activity_user 7.5 activity_repo 10
Added	org.springframework.boot:spring-boot-starter-security	2.5.4	✅ 8		activity 8.8 malicious false provenance 8 typosquatting 10 activity_user 7.5 activity_repo 10
Added	pyarrow	16.0.0	✅ 8		activity 8.1 malicious false provenance 8 typosquatting 10 activity_user 6.7 activity_repo 9.5
Removed	@types/jest	^29.5.12	⚠️ 5		activity 9.1 malicious false provenance 5 typosquatting 8 activity_user 8.2 activity_repo 10
Removed	@octokit/request-error	^5.0.1	✅ 5.2		activity 5.2 malicious false provenance 10 typosquatting 10 activity_user 7.9 activity_repo 2.6
Removed	ansi-styles	^6.2.1	✅ 6.6		activity 6.6 malicious false provenance 8 typosquatting 10 activity_user 9.6 activity_repo 3.6
Removed	bluebird	^3.7.2	✅ 8		activity 8.1 malicious false provenance 8 typosquatting 10 activity_user 8.3 activity_repo 8

Scanned Manifest Files

go.mod

• github.com/ThreeDotsLabs/[email protected]
• github.com/alexdrl/[email protected]

package.json

• [email protected]
• got@^14.2.1
• jest@^29.7.1
• octokit@^3.1.3
• @octokit/request-error@^5.0.1
• @types/jest@^29.5.12
• ansi-styles@^6.2.1
• bluebird@^3.7.2
• got@^14.2.0
• jest@^29.7.0
• octokit@^3.1.2

pom.xml

• org.springframework.boot:[email protected]
• org.springframework.boot:spring-boot-maven-plugin@
• org.springframework.boot:[email protected]

pyproject.toml

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]