The Contentstack Utils Javascript package helps you convert the data inside your JSON Rich Text Editor field from JSON to HTML format and vice versa.
OpenSSF Scorecard report
6.5
Overall Score
10/10 Critical Risk
30/50 High Risk
31/50 Medium Risk
10/20 Low Risk
Generated on August 11, 2025
| Scorecard vv5.2.1-40-gf6ed084d
Security Checks
no binaries found in the repo
Determines if the project has generated executable (binary) artifacts in the source repository.
all changesets reviewed
Determines if the project requires human code review before pull requests (aka merge requests) are merged.
no dangerous workflow patterns detected
Determines if the project's GitHub Action workflows avoid dangerous patterns.
license file detected
Determines if the project has defined a license.
Show details
ℹ️
Info: project has a license file: LICENSE:0
ℹ️
Info: FSF or OSI recognized license: MIT License: LICENSE:0
packaging workflow detected
Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.
Show details
ℹ️
Info: Project packages its releases by way of GitHub Actions.: .github/workflows/npm-publish.yml:10
SAST tool detected
Determines if the project uses static code analysis.
Show details
ℹ️
Info: SAST configuration detected: CodeQL
ℹ️
Info: SAST configuration detected: Snyk
ℹ️
Info: all commits (30) are checked with a SAST tool
security policy file detected
Determines if the project has published a security policy.
Show details
ℹ️
Info: security policy file detected: SECURITY.md:1
ℹ️
Info: Found linked content: SECURITY.md:1
ℹ️
Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
ℹ️
Info: Found text in security policy: SECURITY.md:1
9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
Determines if the project is "actively maintained".
7 existing vulnerabilities detected
Determines if the project has open, known unfixed vulnerabilities.
Show details
⚠️
Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
⚠️
Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
⚠️
Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4
⚠️
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
⚠️
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
⚠️
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
⚠️
Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6
dependency not pinned by hash detected -- score normalized to 1
Determines if the project has declared and pinned the dependencies of its build process.
Show details
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/check-branch.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/check-branch.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/ci.yml/master?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/ci.yml/master?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/ci.yml/master?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/ci.yml/master?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/code.cov.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/code.cov.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/codeql-analysis.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/codeql-analysis.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/codeql-analysis.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/codeql-analysis.yml/master?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/issues-jira.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/issues-jira.yml/master?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/issues-jira.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/issues-jira.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/npm-publish.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/npm-publish.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/npm-publish.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/npm-publish.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/policy-scan.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/policy-scan.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/policy-scan.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/policy-scan.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sca-scan.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/sca-scan.yml/master?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/sca-scan.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/sca-scan.yml/master?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/secrets-scan.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/contentstack/contentstack-utils-javascript/secrets-scan.yml/master?enable=pin
⚠️
Warn: downloadThenRun not pinned by hash: .github/workflows/secrets-scan.yml:29
ℹ️
Info: 0 out of 13 GitHub-owned GitHubAction dependencies pinned
ℹ️
Info: 0 out of 8 third-party GitHubAction dependencies pinned
ℹ️
Info: 2 out of 2 npmCommand dependencies pinned
ℹ️
Info: 0 out of 1 downloadThenRun dependencies pinned
no effort to earn an OpenSSF best practices badge detected
Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.
project is not fuzzed
Determines if the project uses fuzzing.
Show details
⚠️
Warn: no fuzzer integrations found
detected GitHub workflow tokens with excessive permissions
Determines if the project's workflows follow the principle of least privilege.
Show details
ℹ️
Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:24
ℹ️
Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:25
⚠️
Warn: no topLevel permission defined: .github/workflows/check-branch.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/ci.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/code.cov.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/issues-jira.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/npm-publish.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/policy-scan.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/sca-scan.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/secrets-scan.yml:1
ℹ️
Info: no jobLevel write permissions found
internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Determines if the default and release branches are protected with GitHub's branch protection settings.
Links
- Source: https://github.com/contentstack/contentstack-utils-javascript
- JSON API: repos.ecosyste.ms
-
PURL:
pkg:github/contentstack/contentstack-utils-javascript
Repository Details
- Stars 5
- Forks 2
- Open issues 3
- License mit
- Language TypeScript
- Size 1.75 MB
- Created at over 5 years ago
- Updated at 16 days ago
- Pushed at 6 days ago
- Last synced at 5 days ago
- Dependencies parsed at Pending
Commit Stats
- Commits 97
- Authors 7
- Mean commits per author 13.86
- DDS 0.32
- More commit stats