merge from upstream 20260515 by NeiRo21 · Pull Request #29 · NeiRo21/solid-client-authn-webext

NeiRo21 · 2026-05-15T22:34:58Z

Upgrade jose to v6 (Upgrade jose to v6 inrupt/solid-client-authn-js#4267)
Bump @types/node in the external-types group across 1 directory (Bump @types/node from 25.6.0 to 25.6.2 in the external-types group across 1 directory inrupt/solid-client-authn-js#4269)
Bump axios from 1.15.0 to 1.16.0 (Bump axios from 1.15.0 to 1.16.0 inrupt/solid-client-authn-js#4266)
Bump ip-address from 10.1.0 to 10.2.0 (Bump ip-address from 10.1.0 to 10.2.0 inrupt/solid-client-authn-js#4265)
Bump jest and @types/jest (Bump jest and @types/jest inrupt/solid-client-authn-js#4270)
Bump @rollup/plugin-terser from 0.4.4 to 1.0.0 (Bump @rollup/plugin-terser from 0.4.4 to 1.0.0 inrupt/solid-client-authn-js#4224)
Bump uuid from 11.1.0 to 14.0.0 (Bump uuid from 11.1.0 to 14.0.0 inrupt/solid-client-authn-js#4258)

* Bump jose to v6 * Adjust Jest config for ESM-only jose * Adjust to latest jose version * Temporary type bridge until cleaner openid-client migration * Fix windows CI config

…pt#4269) Bumps the external-types group with 1 update in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Updates `@types/node` from 25.6.0 to 25.6.2 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.6.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: external-types ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [axios](https://github.com/axios/axios) from 1.15.0 to 1.16.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.15.0...v1.16.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.16.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [ip-address](https://github.com/beaugunderson/ip-address) from 10.1.0 to 10.2.0. - [Commits](https://github.com/beaugunderson/ip-address/commits) --- updated-dependencies: - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump jest and @types/jest Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together. Updates `jest` from 30.3.0 to 30.4.2 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.4.2/packages/jest) Updates `@types/jest` from 29.5.14 to 30.0.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest) --- updated-dependencies: - dependency-name: "@types/jest" dependency-version: 30.0.0 dependency-type: direct:development update-type: version-update:semver-major - dependency-name: jest dependency-version: 30.4.2 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump jest and @types/jest Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together. Updates `jest` from 30.3.0 to 30.4.2 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.4.2/packages/jest) Updates `@types/jest` from 29.5.14 to 30.0.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest) --- updated-dependencies: - dependency-name: jest dependency-version: 30.4.2 dependency-type: direct:development update-type: version-update:semver-minor - dependency-name: "@types/jest" dependency-version: 30.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Bump jest-jsdom --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Nicolas Ayral Seydoux <nseydoux@inrupt.com>

Bumps [@rollup/plugin-terser](https://github.com/rollup/plugins/tree/HEAD/packages/terser) from 0.4.4 to 1.0.0. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/terser/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/beep-v1.0.0/packages/terser) --- updated-dependencies: - dependency-name: "@rollup/plugin-terser" dependency-version: 1.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump uuid from 11.1.0 to 14.0.0 Bumps [uuid](https://github.com/uuidjs/uuid) from 11.1.0 to 14.0.0. - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v11.1.0...v14.0.0) --- updated-dependencies: - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Adjust jest config to uuid being ESM * fixup! Adjust jest config to uuid being ESM --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Nicolas Ayral Seydoux <nseydoux@inrupt.com>

github-actions · 2026-05-15T22:35:17Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
⚠️ 4 package(s) with unknown licenses.

See the Details below.

License Issues

packages/core/package.json

Package	Version	License	Issue Type
jose	^6.2.3	Null	Unknown License
uuid	^14.0.0	Null	Unknown License

packages/webext/package.json

Package	Version	License	Issue Type
jose	^6.2.3	Null	Unknown License
uuid	^14.0.0	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

npm/yaml

2.8.0

🟢 7.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	⚠️ 0	Found 0/11 approved changesets -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	🟢 10	project is fuzzed
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
Signed-Releases	⚠️ -1	no releases found
SAST	🟢 10	SAST tool is run on all commits

npm/@emnapi/core

1.4.5

🟢 3.4

Details

Check	Score	Reason
Maintained	🟢 10	24 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@emnapi/runtime

1.4.5

🟢 3.4

Details

Check	Score	Reason
Maintained	🟢 10	24 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@emnapi/wasi-threads

1.0.4

🟢 3.4

Details

Check	Score	Reason
Maintained	🟢 10	24 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	⚠️ 0	security policy file not detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@jest/core

30.4.2

Unknown

npm/@jest/diff-sequences

30.0.1

Unknown

npm/@nx/nx-darwin-arm64

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-darwin-x64

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-freebsd-x64

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-linux-arm-gnueabihf

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-linux-arm64-gnu

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-linux-arm64-musl

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-linux-x64-gnu

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-linux-x64-musl

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-win32-arm64-msvc

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@nx/nx-win32-x64-msvc

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@rollup/plugin-terser

1.0.0

🟢 4.3

Details

Check	Score	Reason
Code-Review	🟢 4	Found 10/24 approved changesets -- score normalized to 4
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	19 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts	🟢 7	binaries present in source code
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@types/node

25.8.0

🟢 6.6

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 9	Found 27/29 approved changesets -- score normalized to 9
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Packaging	⚠️ -1	packaging workflow not detected
Security-Policy	🟢 10	security policy file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/axios

1.16.0

🟢 8

Details

Check	Score	Reason
Code-Review	🟢 6	Found 18/28 approved changesets -- score normalized to 6
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 10	30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	🟢 5	dependency not pinned by hash detected -- score normalized to 5
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Packaging	🟢 10	packaging workflow detected
SAST	🟢 9	SAST tool is not run on all commits -- score normalized to 9

npm/balanced-match

4.0.3

🟢 5.6

Details

Check	Score	Reason
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Packaging	⚠️ -1	packaging workflow not detected
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 9	10 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 9
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	⚠️ 2	Found 4/17 approved changesets -- score normalized to 2
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/dotenv-expand

12.0.3

🟢 3.8

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Maintained	🟢 10	14 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	⚠️ 0	Found 0/22 approved changesets -- score normalized to 0
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/ip-address

10.2.0

🟢 4.1

Details

Check	Score	Reason
Dangerous-Workflow	⚠️ -1	no workflows found
Code-Review	⚠️ 0	Found 1/30 approved changesets -- score normalized to 0
Token-Permissions	⚠️ -1	No tokens found
Packaging	⚠️ -1	packaging workflow not detected
Maintained	🟢 10	25 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ -1	no dependencies found
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/jest

30.4.2

Unknown

npm/jest-circus

30.4.2

Unknown

npm/jest-cli

30.4.2

Unknown

npm/jest-config

30.4.2

Unknown

npm/jest-resolve-dependencies

30.4.2

Unknown

npm/jest-runner

30.4.2

Unknown

npm/jest-runtime

30.4.2

Unknown

npm/jose

6.2.3

🟢 7.2

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	⚠️ 0	Found 0/24 approved changesets -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 7	dependency not pinned by hash detected -- score normalized to 7
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
Packaging	🟢 10	packaging workflow detected
Signed-Releases	⚠️ -1	no releases found
SAST	🟢 10	SAST tool is run on all commits

npm/nx

22.7.2

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 8	branch protection is not maximal on development and all release branches
Binary-Artifacts	🟢 7	binaries present in source code
SAST	🟢 7	SAST tool detected but not run on all commits
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/semver

7.8.0

🟢 6.4

Details

Check	Score	Reason
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 6	8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	🟢 9	SAST tool detected but not run on all commits

npm/serialize-javascript

7.0.5

🟢 4.5

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 8	6 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 8
Code-Review	🟢 3	Found 6/19 approved changesets -- score normalized to 3
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Security-Policy	⚠️ 0	security policy file not detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/tmp

0.2.4

🟢 3.5

Details

Check	Score	Reason
Code-Review	⚠️ 1	Found 2/15 approved changesets -- score normalized to 1
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Maintained	⚠️ 1	2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/undici-types

7.24.6

🟢 8.3

Details

Check	Score	Reason
Dependency-Update-Tool	🟢 10	update tool detected
Maintained	🟢 10	30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 10	all changesets reviewed
Binary-Artifacts	🟢 8	binaries present in source code
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	🟢 4	dependency not pinned by hash detected -- score normalized to 4
SAST	🟢 9	SAST tool detected but not run on all commits
License	🟢 10	license file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Packaging	🟢 10	packaging workflow detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
CI-Tests	🟢 10	30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors	🟢 10	project has 77 contributing companies or organizations

npm/uuid

11.1.1

🟢 5.3

Details

Check	Score	Reason
Maintained	🟢 10	16 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Pinned-Dependencies	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Code-Review	⚠️ 1	Found 5/27 approved changesets -- score normalized to 1
Security-Policy	🟢 3	security policy file detected
Token-Permissions	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Packaging	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Dangerous-Workflow	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]

npm/uuid

14.0.0

🟢 5.3

Details

Check	Score	Reason
Maintained	🟢 10	16 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Pinned-Dependencies	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Code-Review	⚠️ 1	Found 5/27 approved changesets -- score normalized to 1
Security-Policy	🟢 3	security policy file detected
Token-Permissions	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Packaging	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Dangerous-Workflow	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ -1	internal error: internal error: invalid GitHub workflow: :30:31: could not parse as YAML: mapping values are not allowed in this context [syntax-check]

npm/jest-environment-jsdom

^30.4.1

Unknown

npm/jose

^6.2.3

Unknown

npm/uuid

^14.0.0

Unknown

npm/@types/node

^25.6.2

Unknown

npm/jose

^6.2.3

Unknown

npm/uuid

^14.0.0

Unknown

Scanned Files

package-lock.json
package.json
packages/core/package.json
packages/webext/package.json

NSeydoux and others added 8 commits May 11, 2026 15:28

Upgrade jose to v6 (inrupt#4267)

0f2bcee

* Bump jose to v6 * Adjust Jest config for ESM-only jose * Adjust to latest jose version * Temporary type bridge until cleaner openid-client migration * Fix windows CI config

Merge branch 'upstream'

5b5b254

NeiRo21 self-assigned this May 15, 2026

NeiRo21 merged commit 64592d3 into main May 15, 2026
6 checks passed

NeiRo21 deleted the merge-from-upstream-20260515 branch May 15, 2026 22:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

merge from upstream 20260515#29

merge from upstream 20260515#29
NeiRo21 merged 8 commits into
mainfrom
merge-from-upstream-20260515

NeiRo21 commented May 15, 2026

Uh oh!

github-actions Bot commented May 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

NeiRo21 commented May 15, 2026

Uh oh!

github-actions Bot commented May 15, 2026

Dependency Review

License Issues

packages/core/package.json

packages/webext/package.json

OpenSSF Scorecard

Scanned Files

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants