JSPM

@cyberhub/trust-xml2js

1.0.2
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 19
  • Score
    100M100P100Q55083F
  • License MIT

Security Trust Report: xml2js@0.6.2 — 61/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@cyberhub/trust-xml2js) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    Security Trust Report: xml2js

    xml2js@0.6.2: 61/100 | Grade: C+ | Tier: STANDARD (confidence: ±3)

    Data verified on 2026-04-02 from 8 security databases.

    TL;DR

    • 1 vulnerability found (1 critical, 0 high)
    • Consider switching to fast-xml-parser (Faster, no prototype pollution)
    • Pin your version and monitor for changes

    Score Breakdown

    Maintainer Trust:  █████████████░░░░░░░ 67/100
Package Health:    █████████████████░░░ 87/100
Supply Chain:      ███████░░░░░░░░░░░░░ 34/100
Community:         █████████░░░░░░░░░░░ 47/100

    Why this score?

    • Supply Chain is 34 because: 1 known CVEs, in breach database
    • Community is 47 because: no GitHub repo found

    Vulnerabilities (1 vulnerability)

    Severity Count
    🔴 Critical 1

    Key Risk Flags

    • 🔴 CRITICAL: RECENT-ISH BREACH: Prototype pollution CVE-2023-0842 (2023)
    • 🔴 CRITICAL: 1 CRITICAL vulnerability(ies) from live CVE databases
    • 🟠 HIGH: Maintainer(s) removed in v0.2.2: maqr
    • 🟠 HIGH: Burst publishing detected — 5+ versions in a single day

    🛠️ What Should You Do?

    Immediate:

    • Upgrade to the latest version (npm update xml2js)
    • Consider replacing with fast-xml-parser

    Always:

    🔄 Safer Alternatives

    Package Why Trust Report
    fast-xml-parser Faster, no prototype pollution View score
    htmlparser2 Streaming XML/HTML parser View score

    Maintainers

    • leonidas ✅ 2FA enabled (org email)

    Methodology

    This score is computed from 18+ signals across 4 categories:

    • Maintainer Trust (35%): Account age, 2FA, publish cadence, maintainer changes, email domain
    • Package Health (25%): Install scripts, dependency count, license, provenance, size changes, code quality
    • Supply Chain (25%): Live CVEs from 8 databases, known breaches, typosquatting, transitive risk
    • Community (15%): GitHub stars, contributors, CI, OpenSSF Scorecard, npms.io quality

    Full scoring methodology →

    Check Your Project

    # Install pkgtrust
npm install -g @cyberhub/pkgtrust

# Scan a specific package
pkgtrust scan xml2js

# Scan all your dependencies
pkgtrust scan

# Compare alternatives
pkgtrust compare xml2js fast-xml-parser htmlparser2

    Data Sources: GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev

    Report by pkgtrust · Dashboard · Compare · CLI

    This is an automated security report. Not affiliated with the xml2js team. Updated 2026-04-02.