Data

Tools

Indexes

Applications

Experiments

Repos

An open API service providing repository metadata for many open source software ecosystems.

NativeScript

⚡ Write Native with TypeScript ✨ Best of all worlds (TypeScript, Swift, Objective C, Kotlin, Java, Dart). Use what you love ❤️ Angular, React, Solid, Svelte, Vue with: iOS (UIKit, SwiftUI), Android (View, Jetpack Compose), Flutter and you name it compatible.

OpenSSF Scorecard report

6.5

Overall Score

10/10 Critical Risk
40/60 High Risk
10/30 Medium Risk
22/30 Low Risk
Generated on August 13, 2025 | Scorecard vv5.1.1
Security Checks
10/10
Contributors
Low Risk

project has 25 contributing companies or organizations

Determines if the project has a set of contributors from multiple organizations (e.g., companies).

Show details
ℹ️ Info: found contributions from: GDG-Sofia, LaraTicket, NativeScript, OpenNative, akylas, angular-sofia, fitcomtt, fuelics pc, infowrap, master-technology, master-technology @proplugins @nativescript, mongodb, mongodb-developer, nativescript-community, nativescript-vue, ngChina, nstudio, progress, progstr, proplugins, radzen, st6io, tangra, telerik, valor-software
10/10
Dangerous-Workflow
Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10
Dependency-Update-Tool
High Risk

update tool detected

Determines if the project uses a dependency update tool.

Show details
ℹ️ Info: detected update tool: Dependabot: :0
10/10
License
Low Risk

license file detected

Determines if the project has defined a license.

Show details
ℹ️ Info: project has a license file: LICENSE:0
ℹ️ Info: FSF or OSI recognized license: MIT License: LICENSE:0
10/10
Maintained
High Risk

27 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10

Determines if the project is "actively maintained".

10/10
Security-Policy
Medium Risk

security policy file detected

Determines if the project has published a security policy.

Show details
ℹ️ Info: security policy file detected: github.com/NativeScript/.github/SECURITY.md:1
ℹ️ Info: Found linked content: github.com/NativeScript/.github/SECURITY.md:1
ℹ️ Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/NativeScript/.github/SECURITY.md:1
ℹ️ Info: Found text in security policy: github.com/NativeScript/.github/SECURITY.md:1
10/10
Token-Permissions
High Risk

GitHub workflow tokens follow principle of least privilege

Determines if the project's workflows follow the principle of least privilege.

Show details
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/apps_automated_android.yml:3
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/apps_automated_ios.yml:3
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/npm_release_core.yml:3
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/npm_release_tns_core.yml:3
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/npm_release_types.yml:4
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/npm_release_webpack.yml:3
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard.yml:18
ℹ️ Info: no jobLevel write permissions found
7/10
Vulnerabilities
High Risk

3 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

Show details
⚠️ Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6
⚠️ Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
⚠️ Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q
3/10
Code-Review
High Risk

Found 10/29 approved changesets -- score normalized to 3

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

2/10
CII-Best-Practices
Low Risk

badge detected: InProgress

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10
Binary-Artifacts
High Risk

binaries present in source code

Determines if the project has generated executable (binary) artifacts in the source repository.

Show details
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/ios-arm64/NSCWinterTC.framework/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/ios-arm64/dSYMs/NSCWinterTC.framework.dSYM/Contents/Resources/DWARF/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/ios-arm64_x86_64-maccatalyst/NSCWinterTC.framework/Versions/A/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/ios-arm64_x86_64-maccatalyst/dSYMs/NSCWinterTC.framework.dSYM/Contents/Resources/DWARF/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/ios-arm64_x86_64-simulator/NSCWinterTC.framework/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/ios-arm64_x86_64-simulator/dSYMs/NSCWinterTC.framework.dSYM/Contents/Resources/DWARF/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/xros-arm64/NSCWinterTC.framework/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/xros-arm64/dSYMs/NSCWinterTC.framework.dSYM/Contents/Resources/DWARF/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/xros-arm64_x86_64-simulator/NSCWinterTC.framework/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/NSCWinterTC.xcframework/xros-arm64_x86_64-simulator/dSYMs/NSCWinterTC.framework.dSYM/Contents/Resources/DWARF/NSCWinterTC:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/ios-arm64/TNSWidgets.framework/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/ios-arm64/dSYMs/TNSWidgets.framework.dSYM/Contents/Resources/DWARF/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/ios-arm64_x86_64-maccatalyst/TNSWidgets.framework/Versions/A/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/ios-arm64_x86_64-maccatalyst/dSYMs/TNSWidgets.framework.dSYM/Contents/Resources/DWARF/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/ios-arm64_x86_64-simulator/TNSWidgets.framework/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/ios-arm64_x86_64-simulator/dSYMs/TNSWidgets.framework.dSYM/Contents/Resources/DWARF/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/xros-arm64/TNSWidgets.framework/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/xros-arm64/dSYMs/TNSWidgets.framework.dSYM/Contents/Resources/DWARF/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/xros-arm64_x86_64-simulator/TNSWidgets.framework/TNSWidgets:1
⚠️ Warn: binary detected: packages/core/platforms/ios/TNSWidgets.xcframework/xros-arm64_x86_64-simulator/dSYMs/TNSWidgets.framework.dSYM/Contents/Resources/DWARF/TNSWidgets:1
⚠️ Warn: binary detected: packages/ui-mobile-base/android/gradle/wrapper/gradle-wrapper.jar:1
⚠️ Warn: binary detected: packages/winter-tc/android/gradle/wrapper/gradle-wrapper.jar:1
0/10
Fuzzing
Medium Risk

project is not fuzzed

Determines if the project uses fuzzing.

Show details
⚠️ Warn: no fuzzer integrations found
0/10
Pinned-Dependencies
Medium Risk

dependency not pinned by hash detected -- score normalized to 0

Determines if the project has declared and pinned the dependencies of its build process.

Show details
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/apps_automated_android.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_android.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/apps_automated_android.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_android.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/apps_automated_android.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_android.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/apps_automated_android.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_android.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/apps_automated_android.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_android.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/apps_automated_android.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_android.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/apps_automated_ios.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_ios.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/apps_automated_ios.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_ios.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/apps_automated_ios.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_ios.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/apps_automated_ios.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/apps_automated_ios.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm_release_core.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/npm_release_core.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/npm_release_core.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/npm_release_core.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm_release_tns_core.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/npm_release_tns_core.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm_release_webpack.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/npm_release_webpack.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ossf-scorecard.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/NativeScript/NativeScript/ossf-scorecard.yml/main?enable=pin
⚠️ Warn: npmCommand not pinned by hash: tools/scripts/build-docs.sh:18
⚠️ Warn: npmCommand not pinned by hash: tools/scripts/build-docs.sh:19
⚠️ Warn: npmCommand not pinned by hash: tools/scripts/build-docs.sh:20
⚠️ Warn: npmCommand not pinned by hash: tools/scripts/prepare-compat.sh:41
⚠️ Warn: npmCommand not pinned by hash: tools/scripts/prepare-core.sh:20
⚠️ Warn: npmCommand not pinned by hash: tools/scripts/prepare-core.sh:40
⚠️ Warn: npmCommand not pinned by hash: tools/scripts/prepare-core.sh:70
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/apps_automated_android.yml:50
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/apps_automated_android.yml:51
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/apps_automated_ios.yml:43
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/npm_release_tns_core.yml:25
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/npm_release_webpack.yml:24
ℹ️ Info: 2 out of 12 GitHub-owned GitHubAction dependencies pinned
ℹ️ Info: 1 out of 6 third-party GitHubAction dependencies pinned
ℹ️ Info: 0 out of 11 npmCommand dependencies pinned
ℹ️ Info: 0 out of 1 pipCommand dependencies pinned
N/A
Branch-Protection
Not Applicable

internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

Determines if the default and release branches are protected with GitHub's branch protection settings.

N/A
CI-Tests
Not Applicable

internal error: internal error: Client.Repositories.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: "<html>\r\n<head><title>502 Bad Gateway</title></head>\r\n<body>\r\n<center><h1>502 Bad Gateway</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"

Determines if the project runs tests before pull requests are merged.

N/A
Packaging
Not Applicable

packaging workflow not detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details
⚠️ Warn: no GitHub/GitLab publishing workflow detected.
N/A
SAST
Not Applicable

internal error: internal error: Client.Checks.ListCheckRunsForRef: error during graphqlHandler.setupCheckRuns: non-200 OK status code: 502 Bad Gateway body: "<html>\r\n<head><title>502 Bad Gateway</title></head>\r\n<body>\r\n<center><h1>502 Bad Gateway</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"

Determines if the project uses static code analysis.

N/A
Signed-Releases
Not Applicable

no releases found

Determines if the project cryptographically signs release artifacts.

Links
Repository Details
  • Stars 25,457
  • Forks 1,733
  • Open issues 923
  • License mit
  • Language TypeScript
  • Size 177 MB
  • Created at about 11 years ago
  • Updated at 1 day ago
  • Pushed at 3 days ago
  • Last synced at about 10 hours ago
  • Dependencies parsed at Pending
Commit Stats
Topics
android, angular, capacitor, cross-platform, flutter, ios, java, javascript, kotlin, nativescript, objective-c, react, solidjs, svelte, swift, swiftui, typescript, visionos, visionpro, vue
Funding
https://github.com/sponsors/NativeScript, https://opencollective.com/nativescript