Will It Vibe?
SEC-020High severity-15 points

Historically compromised package

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

Checks dependency names against a small curated list of packages with documented supply-chain compromise incidents.

Why it matters

These package names have documented incidents where malicious code was published under them, which is why they are flagged by name rather than by version. Depending on them means one bad update can execute code in your build or runtime. Even if the current version is clean, they carry a track record worth checking.

How to fix it

Check why each flagged package is in your tree with npm ls <name>. Remove flatmap-stream outright, replace event-stream usage with native Node streams or a maintained alternative, and make sure eslint-scope resolves to a current version (the malicious 3.7.2 was pulled from npm years ago). Run npm audit and commit the cleaned lockfile.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks