JSPM

@cyberhub/trust-xml2js

1.0.3
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 24
  • Score
    100M100P100Q55027F
  • License MIT

Security Trust Report: xml2js@0.6.2 — 61/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@cyberhub/trust-xml2js) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    Security Trust Report: xml2js

    xml2js@0.6.2: 61/100 | Grade: C+ | Tier: STANDARD (confidence: ±3)

    Data verified on 2026-04-02 from 8 security databases.

    TL;DR

    • 1 vulnerability found (1 critical, 0 high)
    • Consider switching to fast-xml-parser (Faster, no prototype pollution)
    • Pin your version and monitor for changes

    Score Breakdown

    Maintainer Trust:  █████████████░░░░░░░ 67/100
Package Health:    █████████████████░░░ 87/100
Supply Chain:      ███████░░░░░░░░░░░░░ 34/100
Community:         █████████░░░░░░░░░░░ 47/100

    Why this score?

    • Supply Chain is 34 because: 1 known CVEs, in breach database
    • Community is 47 because: no GitHub repo found

    Vulnerabilities (1 vulnerability)

    Severity Count
    🔴 Critical 1

    Key Risk Flags

    • 🔴 CRITICAL: RECENT-ISH BREACH: Prototype pollution CVE-2023-0842 (2023)
    • 🔴 CRITICAL: 1 CRITICAL vulnerability(ies) from live CVE databases
    • 🟠 HIGH: Maintainer(s) removed in v0.2.2: maqr
    • 🟠 HIGH: Burst publishing detected — 5+ versions in a single day

    🛠️ What Should You Do?

    Immediate:

    • Upgrade to the latest version (npm update xml2js)
    • Or replace with fast-xml-parser

    Always: Pin version, run pkgtrust scan in CI, monitor at nrupak.com/trust/xml2js

    🔄 Safer Alternatives

    Package Why Trust Report
    fast-xml-parser Faster, no prototype pollution View score
    htmlparser2 Streaming XML/HTML parser View score

    Maintainers

    Methodology: 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). Full scoring docs →

    Check your project: npm i -g @cyberhub/pkgtrust && pkgtrust scan xml2jsCLI docs Data Sources: GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev

    Report by pkgtrust · Dashboard · Compare · CLI

    This is an automated security report. Not affiliated with the xml2js team. Updated 2026-04-02.