chore(dev)(deps-dev): bump the dev-deps group across 1 directory with 10 updates

[dependabot]

Bumps the dev-deps group with 10 updates in the / directory:

Package	From	To
@types/node	24.5.1	24.9.1
eslint	9.36.0	9.38.0
eslint-plugin-react-hooks	5.2.0	7.0.1
eslint-plugin-storybook	9.1.6	9.1.15
eslint-plugin-unused-imports	4.2.0	4.3.0
prettier-plugin-tailwindcss	0.6.14	0.7.1
stylelint	16.24.0	16.25.0
stylelint-config-standard	39.0.0	39.0.1
typescript	5.9.2	5.9.3
vitest	3.2.4	4.0.3

Updates @types/node from 24.5.1 to 24.9.1

Commits

• See full diff in compare view

Updates eslint from 9.36.0 to 9.38.0

Release notes

Sourced from eslint's releases.

v9.38.0

Features

• ce40f74 feat: update complexity rule to only highlight function header (#20048) (Atul Nair)
• e37e590 feat: correct no-loss-of-precision false positives with e notation (#20187) (Francesco Trotta)

Bug Fixes

• 50c3dfd fix: improve type support for isolated dependencies in pnpm (#20201) (Francesco Trotta)
• a1f06a3 fix: correct SourceCode typings (#20114) (Pixel998)

Documentation

• 462675a docs: improve web accessibility by hiding non-semantic character (#20205) (루밀LuMir)
• c070e65 docs: correct formatting in no-irregular-whitespace rule documentation (#20203) (루밀LuMir)
• b39e71a docs: Update README (GitHub Actions Bot)
• cd39983 docs: move custom-formatters type descriptions to nodejs-api (#20190) (Percy Ma)

Chores

• d17c795 chore: upgrade @​eslint/js@​9.38.0 (#20221) (Milos Djermanovic)
• 25d0e33 chore: package.json update for @​eslint/js release (Jenkins)
• c82b5ef refactor: Use types from @​eslint/core (#20168) (Nicholas C. Zakas)
• ff31609 ci: add Node.js 25 to ci.yml (#20220) (루밀LuMir)
• 004577e ci: bump github/codeql-action from 3 to 4 (#20211) (dependabot[bot])
• eac71fb test: remove use of nodejsScope option of eslint-scope from tests (#20206) (Milos Djermanovic)
• 4168a18 chore: fix typo in legacy-eslint.js (#20202) (Sweta Tanwar)
• 205dbd2 chore: fix typos (#20200) (ntnyq)
• dbb200e chore: use team member's username when name is not available in data (#20194) (Milos Djermanovic)
• 8962089 chore: mark deprecated rules as available until v11.0.0 (#20184) (Pixel998)

v9.37.0

Features

• 39f7fb4 feat: preserve-caught-error should recognize all static "cause" keys (#20163) (Pixel998)
• f81eabc feat: support TS syntax in no-restricted-imports (#19562) (Nitin Kumar)

Bug Fixes

• a129cce fix: correct no-loss-of-precision false positives for leading zeros (#20164) (Francesco Trotta)
• 09e04fc fix: add missing AST token types (#20172) (Pixel998)
• 861c6da fix: correct ESLint typings (#20122) (Pixel998)

Documentation

• b950359 docs: fix typos across the docs (#20182) (루밀LuMir)
• 42498a2 docs: improve ToC accessibility by hiding non-semantic character (#20181) (Percy Ma)
• 29ea092 docs: Update README (GitHub Actions Bot)
• 5c97a04 docs: show availableUntil in deprecated rule banner (#20170) (Pixel998)
• 90a71bf docs: update README files to add badge and instructions (#20115) (루밀LuMir)
• 1603ae1 docs: update references from master to main (#20153) (루밀LuMir)

Chores

• afe8a13 chore: update @eslint/js dependency to version 9.37.0 (#20183) (Francesco Trotta)
• abee4ca chore: package.json update for @​eslint/js release (Jenkins)
• fc9381f chore: fix typos in comments (#20175) (overlookmotel)
• e1574a2 chore: unpin jiti (#20173) (renovate[bot])

... (truncated)

Commits

• 8fe511b 9.38.0
• f961736 Build: changelog update for 9.38.0
• d17c795 chore: upgrade @​eslint/js@​9.38.0 (#20221)
• 25d0e33 chore: package.json update for @​eslint/js release
• 50c3dfd fix: improve type support for isolated dependencies in pnpm (#20201)
• c82b5ef refactor: Use types from @​eslint/core (#20168)
• ff31609 ci: add Node.js 25 to ci.yml (#20220)
• ce40f74 feat: update complexity rule to only highlight function header (#20048)
• e37e590 feat: correct no-loss-of-precision false positives with e notation (#20187)
• 004577e ci: bump github/codeql-action from 3 to 4 (#20211)
• Additional commits viewable in compare view

Updates eslint-plugin-react-hooks from 5.2.0 to 7.0.1

Changelog

Sourced from eslint-plugin-react-hooks's changelog.

7.0.1

• Disallowed passing inline useEffectEvent values as JSX props to guard against accidental propagation. (#34820 by @​jf-eirinha)
• Switch to export = so eslint-plugin-react-hooks emits correct types for consumers in Node16 ESM projects. (#34949 by @​karlhorky)
• Tightened the typing of configs.flat so the configs export is always defined. (#34950 by @​poteto)
• Fix named import runtime errors. (#34951, #34953 by @​karlhorky)

7.0.0

This release slims down presets to just 2 configurations (recommended and recommended-latest), and all compiler rules are enabled by default.

• Breaking: Removed recommended-latest-legacy and flat/recommended configs. The plugin now provides recommended (legacy and flat configs with all recommended rules), and recommended-latest (legacy and flat configs with all recommended rules plus new bleeding edge experimental compiler rules). (@​poteto in #34757)

6.1.1

Note: 6.1.0 accidentally allowed use of recommended without flat config, causing errors when used with ESLint v9's defineConfig() helper. This has been fixed in 6.1.1.

• Fix recommended config for flat config compatibility. The recommended config has been converted to flat config format. Non-flat config users should use recommended-legacy instead. (@​poteto in #34700)
• Add recommended-latest and recommended-latest-legacy configs that include React Compiler rules. (@​poteto in #34675)
• Remove unused NoUnusedOptOutDirectives rule. (@​poteto in #34703)
• Remove hermes-parser and dependency. (@​poteto in #34719)
• Remove @babel/plugin-proposal-private-methods dependency. (@​ArnaudBarre and @​josephsavona in #34715)
• Update for Zod v3/v4 compatibility. (@​kolian and @​josephsavona in #34717)

6.1.0

Note: Version 6.0.0 was mistakenly released and immediately deprecated and untagged on npm. This is the first official 6.x major release and includes breaking changes.

• Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458)
• Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457)
• New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040)
• New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #33544)
• Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #34076)
• Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #34497

6.0.0

Accidentally released. See 6.1.0 for the actual changes.

Commits

• See full diff in compare view

Updates eslint-plugin-storybook from 9.1.6 to 9.1.15

Release notes

Sourced from eslint-plugin-storybook's releases.

v9.1.15

9.1.15

• Core: Add `preview-first-load` telemetry - #32770, thanks @​shilman!
• Dependencies: Update `vite-plugin-storybook-nextjs` - #32821, thanks @​ndelangen!

v9.1.14

9.1.14

• NextJS: Add NextJS 16 support - #32791, thanks @​yannbf and @​ndelangen!
• Addon-Vitest: Support Vitest 4 - #32819, thanks @​yannbf and @​ndelangen!
• CSF: Fix `play-fn` tag for methods - #32695, thanks @​shilman!

v9.1.12

9.1.12

• Maintenance: Hotfix for missing nextjs dts files, thanks @​ndelangen!

v9.1.11

9.1.11

• Automigration: Improve the viewport/backgrounds automigration - #32619, thanks @​valentinpalkovic!
• Mocking: Fix `sb.mock` usage in Storybook's deployed in subpaths - #32678, thanks @​valentinpalkovic!
• NextJS-Vite: Automatically fix bad PostCSS configuration - #32691, thanks @​ndelangen!
• React Native Web: Fix REACT_NATIVE_AND_RNW should detect vite builder - #32718, thanks @​dannyhw!
• Telemetry: Add metadata for react routers - #32615, thanks @​shilman!

v9.1.10

9.1.10

• Automigrations: Add automigration for viewport and backgrounds - #31614, thanks @​valentinpalkovic!
• Telemetry: Log userAgent in onboarding - #32566, thanks @​shilman!

v9.1.9

9.1.9

• Angular: Enable experimental zoneless detection on Angular v21 - #32580, thanks @​yannbf!
• Svelte: Ignore inherited HTMLAttributes docgen when using utility types - #32173, thanks @​steciuk!

v9.1.8

9.1.8

• PreactVite: Add node entry point - #32534, thanks @​ndelangen!

v9.1.7

9.1.7

• Dependencies: Update vite-plugin-storybook-nextjs to 2.0.7 - #32331, thanks @​k35o!
• React: Preserve @ts-expect-error in preview - #32442, thanks @​mrginglymus!
• Telemetry: Queue error reporting & filter browser-extention - #32499, thanks @​ndelangen!

Changelog

Sourced from eslint-plugin-storybook's changelog.

9.1.15

• Core: Add preview-first-load telemetry - #32770, thanks @​shilman!
• Dependencies: Update vite-plugin-storybook-nextjs - #32821, thanks @​ndelangen!

9.1.14

• NextJS: Add NextJS 16 support - #32791, thanks @​yannbf and @​ndelangen!
• Addon-Vitest: Support Vitest 4 - #32819, thanks @​yannbf and @​ndelangen!
• CSF: Fix play-fn tag for methods - #32695, thanks @​shilman!

9.1.13

• Nextjs: Fix config access for Vite - #32759, thanks @​valentinpalkovic!

9.1.12

• Maintenance: Hotfix for missing nextjs dts files, thanks @​ndelangen!

9.1.11

• Automigration: Improve the viewport/backgrounds automigration - #32619, thanks @​valentinpalkovic!
• Mocking: Fix sb.mock usage in Storybook's deployed in subpaths - #32678, thanks @​valentinpalkovic!
• NextJS-Vite: Automatically fix bad PostCSS configuration - #32691, thanks @​ndelangen!
• React Native Web: Fix REACT_NATIVE_AND_RNW should detect vite builder - #32718, thanks @​dannyhw!
• Telemetry: Add metadata for react routers - #32615, thanks @​shilman!

9.1.10

• Automigrations: Add automigration for viewport and backgrounds - #31614, thanks @​valentinpalkovic!
• Telemetry: Log userAgent in onboarding - #32566, thanks @​shilman!

9.1.9

• Angular: Enable experimental zoneless detection on Angular v21 - #32580, thanks @​yannbf!
• Svelte: Ignore inherited HTMLAttributes docgen when using utility types - #32173, thanks @​steciuk!

9.1.8

• PreactVite: Add node entry point - #32534, thanks @​ndelangen!

9.1.7

• Dependencies: Update vite-plugin-storybook-nextjs to 2.0.7 - #32331, thanks @​k35o!
• React: Preserve @ts-expect-error in preview - #32442, thanks @​mrginglymus!
• Telemetry: Queue error reporting & filter browser-extention - #32499, thanks @​ndelangen!

Commits

• d0d17d9 Bump version from "9.1.14" to "9.1.15" [skip ci]
• 5afb39f Bump version from "9.1.13" to "9.1.14" [skip ci]
• c2483f0 Bump version from "9.1.12" to "9.1.13" [skip ci]
• efe8a7c Bump version from "9.1.11" to "9.1.12" [skip ci]
• 5b2e0ed Bump version from "9.1.10" to "9.1.11" [skip ci]
• 642f0cf Bump version from "9.1.9" to "9.1.10" [skip ci]
• 01867d0 Bump version from "9.1.8" to "9.1.9" [skip ci]
• 28833d4 Bump version from "9.1.7" to "9.1.8" [skip ci]
• 006b304 Bump version from "9.1.6" to "9.1.7" [skip ci]
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for eslint-plugin-storybook since your current version.

Updates eslint-plugin-unused-imports from 4.2.0 to 4.3.0

Commits

• 6e02be7 chore: release v4.3.0
• 44a7181 fix: preserve imports used in JSDoc @​link tags (#111)
• 275d96e chore: update deps
• See full diff in compare view

Updates prettier-plugin-tailwindcss from 0.6.14 to 0.7.1

Release notes

Sourced from prettier-plugin-tailwindcss's releases.

v0.7.1

Fixed

• Match against correct name of dynamic attributes when using regexes (#410)

v0.7.0

Added

• Format quotes in @source, @plugin, and @config (#387)
• Sort in function calls in Twig (#358)
• Sort in callable template literals (#367)
• Sort in function calls mixed with property accesses (#367)
• Support regular expression patterns for attributes (#405)
• Support regular expression patterns for function names (#405)

Changed

• Improved monorepo support by loading Tailwind CSS relative to the input file instead of prettier config file (#386)
• Improved monorepo support by loading v3 configs relative to the input file instead of prettier config file (#386)
• Fallback to Tailwind CSS v4 instead of v3 by default (#390)
• Don't augment global Prettier ParserOptions and RequiredOptions types (#354)
• Drop support for prettier-plugin-import-sort (#385)

Fixed

• Handle quote escapes in LESS when sorting @apply (#392)
• Fix whitespace removal inside nested concat and template expressions (#396)

Changelog

Sourced from prettier-plugin-tailwindcss's changelog.

[0.7.1] - 2025-10-17

Fixed

• Match against correct name of dynamic attributes when using regexes (#410)

[0.7.0] - 2025-10-14

Added

• Format quotes in @source, @plugin, and @config (#387)
• Sort in function calls in Twig (#358)
• Sort in callable template literals (#367)
• Sort in function calls mixed with property accesses (#367)
• Support regular expression patterns for attributes (#405)
• Support regular expression patterns for function names (#405)

Changed

• Improved monorepo support by loading Tailwind CSS relative to the input file instead of prettier config file (#386)
• Improved monorepo support by loading v3 configs relative to the input file instead of prettier config file (#386)
• Fallback to Tailwind CSS v4 instead of v3 by default (#390)
• Don't augment global Prettier ParserOptions and RequiredOptions types (#354)
• Drop support for prettier-plugin-import-sort (#385)

Fixed

• Handle quote escapes in LESS when sorting @apply (#392)
• Fix whitespace removal inside nested concat and template expressions (#396)

Commits

• a0fea3f 0.7.1
• 56fa1fc Update changelog
• 42aca0c Match against correct name of dynamic attributes when using regexes (#410)
• 3a58565 Fix building on windows
• 9fa7342 Correct typo in README (#407)
• e03702a 0.7.0
• cc87f7b Update changelog
• 7b9e2a7 Update changelog
• 95a3d4e Support regex matches for attributes and function names (#405)
• a195f71 Allow sorting classes inside function calls in Twig templates (#358)
• Additional commits viewable in compare view

Updates stylelint from 16.24.0 to 16.25.0

Release notes

Sourced from stylelint's releases.

16.25.0

It adds 3 new features, including experimental support for bulk suppressions. It's also our first immutable release, with the package published to npm using trusted publishing and our dependencies updated on a cool down for improved supply chain security.

• Added: support for bulk suppressions (#8564) (@​ryo-manba).
• Added: ignoreAtRules: [] to no-invalid-position-declaration (#8781) (@​jrmlt).
• Added: rule name to custom messages (#8774) (@​jhae-de).

Changelog

Sourced from stylelint's changelog.

16.25.0 - 2025-10-03

It adds 3 new features, including experimental support for bulk suppressions. It's also our first immutable release, with the package published to npm using trusted publishing and our dependencies updated on a cool down for improved supply chain security.

• Added: support for bulk suppressions (#8564) (@​ryo-manba).
• Added: ignoreAtRules: [] to no-invalid-position-declaration (#8781) (@​jrmlt).
• Added: rule name to custom messages (#8774) (@​jhae-de).

Commits

• a6efacb Release 16.25.0 (#8796)
• 9c623fb Document new release workflow (#8793)
• f34b6b4 Fix release-pr workflow failure (#8794)
• acc163e Use consistent workflow names (#8792)
• 55de5ed Use new release workflow (#8791)
• 242f757 Add rule name to custom messages (#8774)
• 9045b3e Bump rollup from 4.50.1 to 4.52.0 (#8789)
• 30abc78 Bump eslint from 9.35.0 to 9.36.0 in the eslint group (#8786)
• 808cff3 Bump stylelint/changelog-to-github-release-action from 0.3.1 to 0.5.1 (#8785)
• b478202 Add ignoreAtRules: [] to no-invalid-position-declaration (#8781)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for stylelint since your current version.

Updates stylelint-config-standard from 39.0.0 to 39.0.1

Release notes

Sourced from stylelint-config-standard's releases.

39.0.1

• Fixed: layer-name-pattern false positives for dot notation.

Changelog

Sourced from stylelint-config-standard's changelog.

39.0.1

• Fixed: layer-name-pattern false positives for dot notation.

Commits

• a2416d3 Release 39.0.1 (#374)
• 9911899 Fix layer-name-pattern false positives for dot notation (#373)
• 807ed8d Bump Stylelint (#371)
• f6aea8b Introduce new release workflow (#370)
• 5f6cc89 Bump stylelint/.github from 5c1fac886fb5f8f74e29e133f36d242770d03ed3 to 34f1c...
• 939280e Bump the dev-deps group with 2 updates (#368)
• 8cad224 Shorten dev dependencies group name for Dependabot (#367)
• 552ca29 Sync CODEOWNERS (#366)
• 6c540d2 Bump eslint from 9.34.0 to 9.35.0 in the development-dependencies group (#365)
• bc321ef Introduce cooldown period for Dependabot updates (#364)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for stylelint-config-standard since your current version.

Updates typescript from 5.9.2 to 5.9.3

Release notes

Sourced from typescript's releases.

TypeScript 5.9.3

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

Commits

• c63de15 Bump version to 5.9.3 and LKG
• 8428ca4 🤖 Pick PR #62438 (Fix incorrectly ignored dts file fr...) into release-5.9 (#...
• a131cac 🤖 Pick PR #62351 (Add missing Float16Array constructo...) into release-5.9 (#...
• 0424333 🤖 Pick PR #62423 (Revert PR 61928) into release-5.9 (#62425)
• bdb641a 🤖 Pick PR #62311 (Fix parenthesizer rules for manuall...) into release-5.9 (#...
• 0d9b9b9 🤖 Pick PR #61978 (Restructure CI to prepare for requi...) into release-5.9 (#...
• 2dce0c5 Intentionally regress one buggy declaration output to an older version (#62163)
• See full diff in compare view

Updates vitest from 3.2.4 to 4.0.3

Release notes

Sourced from vitest's releases.

v4.0.3

   🐞 Bug Fixes

• Preserve reporter options from config when CLI reporters override them  -  by @​Copilot and sheremet-va in vitest-dev/vitest#8794 (15552)
• browser: More stable in-source testing validation  -  by @​sheremet-va in vitest-dev/vitest#8793 (62297)
• happy-dom: Support fetch globals  -  by @​sheremet-va in vitest-dev/vitest#8791 (0fb74)
• init: Use correct jsx/tsx extension  -  by @​sheremet-va in vitest-dev/vitest#8792 (abc04)

    View changes on GitHub

v4.0.2

   🐞 Bug Fixes

• browser:
  • Don't print the deprecation notice in node_modules  -  by @​sheremet-va in vitest-dev/vitest#8779 (588f7)
• pool:
  • Assign envs before running tests to keep in sync with process.env  -  by @​sheremet-va in vitest-dev/vitest#8769 (26ce8)
• spy:
  • Properly inherit implementation's length  -  by @​sheremet-va in vitest-dev/vitest#8778 (d4c2b)
  • Reset spies if both restoreMocks and mockReset are set in the config  -  by @​sheremet-va in vitest-dev/vitest#8781 (2eedb)

    View changes on GitHub

v4.0.1

   🐞 Bug Fixes

• Move the getBuiltins check  -  by @​sheremet-va in vitest-dev/vitest#8765 (81000)
• pool: Don't teardown the communication channel too soon if something is running after the test  -  by @​sheremet-va in vitest-dev/vitest#8767 (3fae7)

    View changes on GitHub

v4.0.0

Vitest 4.0 is out!

To stay updated, read our blog post and check the migration guide.

   🚨 Breaking Changes

• Remove 'basic' reporter  -  by @​AriPerkkio in vitest-dev/vitest#7884 (82fcf)
• Simplify default exclude pattern  -  by @​sheremet-va in vitest-dev/vitest#6287 (14c50)
• Remove deprecated getSourceMap  -  by @​sheremet-va in vitest-dev/vitest#8194 (ff934)
• Replace deprecated ErrorWithDiff with TestError  -  by @​sheremet-va in vitest-dev/vitest#8195 (da59e)
• Remove UserConfig type in favor of ViteUserConfig  -  by @​sheremet-va in vitest-dev/vitest#8196 (22f7f)
• Remove deprecated coverage options in favor of vitest/node exports  -  by @​sheremet-va in vitest-dev/vitest#8197 (dc848)
• Remove deprecated internal helpers and environment exports  -  by @​sheremet-va in vitest-dev/vitest#8198 (4703c)
• Remove deprecated typecheck and runner types  -  by @​sheremet-va in vitest-dev/vitest#8199 (89a1c)
• Remove Node types from the main entry point, use vitest/node instead  -  by @​sheremet-va in vitest-dev/vitest#8200 (1e60c)
• Remove support for Vite 5  -  by @​sheremet-va in vitest-dev/vitest#8202 (cb8b0)
• Remove deprecated types  -  by @​sheremet-va in vitest-dev/vitest#8203 (66bee)
• Remove deprecated environmentMatchGlobs and poolMatchGlobs  -  by @​sheremet-va in vitest-dev/vitest#8205 (be11d)

... (truncated)

Commits

• ca1766f chore: release v4.0.3
• 155521a fix: preserve reporter options from config when CLI reporters override them (...
• abc046f fix(init): use correct jsx/tsx extension (#8792)
• 0fb74bd fix(happy-dom): support fetch globals (#8791)
• 07bc56a chore: release v4.0.2
• 2eedbce fix(spy): reset spies if both restoreMocks and mockReset is set in the co...
• 26ce88d fix(pool): assign envs before running tests to keep in sync with process.env ...
• 4a28faa chore: release v4.0.1
• 3fae73e fix(pool): don't teardown the communication channel too soon if something is ...
• 8100063 fix: move the getBuiltins check (#8765)
• Additional commits viewa...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: bot:dependabot, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@eslint/config-array	0.21.1	Unknown	Unknown
npm/@eslint/config-helpers	0.4.1	Unknown	Unknown
npm/@eslint/core	0.16.0	Unknown	Unknown
npm/@eslint/js	9.38.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 6 Found 18/28 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/@eslint/object-schema	2.1.7	Unknown	Unknown
npm/@eslint/plugin-kit	0.4.0	Unknown	Unknown
npm/@types/node	24.9.1	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/29 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@vitest/expect	4.0.3	Unknown	Unknown
npm/@vitest/mocker	4.0.3	Unknown	Unknown
npm/@vitest/pretty-format	4.0.3	Unknown	Unknown
npm/@vitest/runner	4.0.3	Unknown	Unknown
npm/@vitest/snapshot	4.0.3	Unknown	Unknown
npm/@vitest/spy	4.0.3	Unknown	Unknown
npm/@vitest/utils	4.0.3	Unknown	Unknown
npm/chai	6.2.0	🟢 5.5	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 22 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 13/18 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/eslint	9.38.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 6 Found 18/28 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/eslint-plugin-react-hooks	7.0.1	🟢 5.8	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 229 existing vulnerabilities detected
npm/eslint-plugin-storybook	9.1.15	🟢 7.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 11 out of 11 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Code-Review 🟢 7 9 out of last 12 changesets reviewed before merge -- score normalized to 7 Contributors 🟢 10 42 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) out of 30 and 11 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Vulnerabilities 🟢 10 no vulnerabilities detected
npm/eslint-plugin-unused-imports	4.3.0	🟢 3.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Code-Review ⚠️ 2 Found 7/29 approved changesets -- score normalized to 2 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 0 15 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/hermes-estree	0.25.1	🟢 4.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 9 security policy file detected SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 7 binaries present in source code Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected
npm/hermes-parser	0.25.1	🟢 4.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 9 security policy file detected SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 7 binaries present in source code Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed Vulnerabilities ⚠️ 0 28 existing vulnerabilities detected
npm/magic-string	0.30.21	🟢 3.6	Details Check Score Reason Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Maintained 🟢 8 9 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 0 11 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/prettier-plugin-tailwindcss	0.7.1	Unknown	Unknown
npm/stylelint	16.25.0	🟢 7.7	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 14/15 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 8 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 2 badge detected: InProgress Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 4 security policy file detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/stylelint-config-standard	39.0.1	🟢 7.4	Details Check Score Reason Code-Review 🟢 7 Found 11/15 approved changesets -- score normalized to 7 Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 8 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 4 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
npm/tinyrainbow	3.0.3	Unknown	Unknown
npm/typescript	5.9.3	🟢 8.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Binary-Artifacts 🟢 10 no binaries found in the repo SAST 🟢 10 SAST tool is run on all commits Branch-Protection ⚠️ -1 internal error: error during GetBranch(release-5.9): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 34 contributing companies or organizations
npm/undici-types	7.16.0	🟢 8.3	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected License 🟢 10 license file detected SAST 🟢 10 SAST tool is run on all commits Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 76 contributing companies or organizations
npm/vitest	4.0.3	Unknown	Unknown
npm/zod-validation-error	4.0.2	Unknown	Unknown
npm/@types/node	24.9.1	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/29 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/eslint	9.38.0	🟢 6.7	Details Check Score Reason Code-Review 🟢 6 Found 18/28 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/eslint-plugin-react-hooks	7.0.1	🟢 5.8	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 229 existing vulnerabilities detected
npm/eslint-plugin-storybook	9.1.15	🟢 7.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 11 out of 11 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Code-Review 🟢 7 9 out of last 12 changesets reviewed before merge -- score normalized to 7 Contributors 🟢 10 42 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) out of 30 and 11 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Vulnerabilities 🟢 10 no vulnerabilities detected
npm/eslint-plugin-unused-imports	4.3.0	🟢 3.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Code-Review ⚠️ 2 Found 7/29 approved changesets -- score normalized to 2 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 0 15 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/prettier-plugin-tailwindcss	0.7.1	Unknown	Unknown
npm/stylelint	16.25.0	🟢 7.7	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 14/15 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 8 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 2 badge detected: InProgress Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 4 security policy file detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/stylelint-config-standard	39.0.1	🟢 7.4	Details Check Score Reason Code-Review 🟢 7 Found 11/15 approved changesets -- score normalized to 7 Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 8 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 4 security policy file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
npm/typescript	^5.9.3	🟢 8.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Binary-Artifacts 🟢 10 no binaries found in the repo SAST 🟢 10 SAST tool is run on all commits Branch-Protection ⚠️ -1 internal error: error during GetBranch(release-5.9): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 34 contributing companies or organizations
npm/vitest	4.0.3	Unknown	Unknown

Scanned Files

• package-lock.json
• package.json

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.