# Supply-Chain Recheck Report --- ## Header | Field | Value | |-------|-------| | **Report type** | supply-check | | **Target** | ~/repos/dft-marketplace | | **Date** | 2026-05-05 | | **Version** | llm-security v7.4.0 | | **Scope** | npm + pip + cargo lockfiles | | **Frameworks** | OWASP LLM03, NIST SSDF | | **Triggered by** | /security supply-check | --- ## Risk Dashboard | Metric | Value | |--------|-------| | **Risk Score** | 22/100 | | **Risk Band** | Medium | | **Grade** | B | | **Verdict** | WARNING | | Severity | Count | |----------|------:| | Critical | 0 | | High | 1 | | Medium | 4 | | Low | 2 | | Info | 6 | | **Total** | **13** | **Verdict rationale:** 1 HIGH OSV.dev advisory on `lefthook@1.4.2` (CVE-2024-1234, denial-of-service via crafted hook config). 4 MEDIUM typosquat candidates flagged for manual review. --- ## Ecosystem Coverage | Ecosystem | Lockfile | Packages | OSV.dev Hits | Typosquats | |-----------|----------|---------:|-------------:|-----------:| | npm | package-lock.json | 412 | 1 | 2 | | pip | requirements.txt | 38 | 0 | 1 | | cargo | Cargo.lock | 71 | 0 | 0 | | go | go.sum | 0 | 0 | 0 | | docker | (none) | 0 | 0 | 0 | | **Total** | | **521** | **1** | **3** | --- ## Findings ### High | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCR-001 | OSV.dev CVE | package-lock.json | 8421 | lefthook@1.4.2 → CVE-2024-1234 (DoS via crafted hook config) | LLM03 | ### Medium | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCR-002 | Typosquat | package-lock.json | 1247 | `expresss` (3 s's) Levenshtein 1 vs `express` | LLM03 | | SCR-003 | Typosquat | package-lock.json | 2891 | `lodahs` Levenshtein 2 vs `lodash` | LLM03 | | SCR-004 | Typosquat | requirements.txt | 22 | `requests-mock` legitimate, `request-mock` (no s) Levenshtein 1 — manual review | LLM03 | | SCR-005 | Recent | package-lock.json | 5103 | `colorette@3.1.0` published 71 hours ago (<72h gate) | LLM03 | ### Low | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCR-006 | Maintenance | package-lock.json | — | 18 packages with last-published > 730 days | — | | SCR-007 | License | requirements.txt | 12 | `chardet==3.0.4` LGPL-2.1 — verify compatibility | — | ### Info | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCR-008 | Provenance | package-lock.json | — | 412/412 packages have npm-registry provenance | — | | SCR-009 | Provenance | Cargo.lock | — | All 71 crates from crates.io | — | | SCR-010 | Coverage | go.sum | — | No Go dependencies detected | — | | SCR-011 | Coverage | (docker) | — | No Dockerfile detected | — | | SCR-012 | Cache | OSV.dev | — | 521 packages queried, 510 cached, 11 fresh lookups | — | | SCR-013 | Cache | TTL | — | OSV cache TTL: 6 hours, hit-rate 97.9% | — | --- ## Recommendations 1. **Immediate:** Bump `lefthook` to ≥1.5.0 to clear CVE-2024-1234. Run `npm install lefthook@latest`. 2. **High:** Verify `expresss` and `lodahs` are not legitimate packages. Both look like typosquat-bait. 3. **Medium:** Wait 24h before pinning `colorette@3.1.0` (currently <72h since publish — supply-chain attack window). 4. **Low:** Audit LGPL-2.1 dependency `chardet==3.0.4` for license-compatibility with project license. --- *Supply-chain recheck complete. 521 packages across 3 ecosystems, 13 findings.*