Cx743605c8-a95e @ Npm-momnet-2.29.1

**Checkmarx \(SCA\):** Vulnerable Package
**Vulnerability:** [Read More ](https://devhub.checkmarx.com/cve-details/Cx743605c8-a95e) about Cx743605c8-a95e
**Checkmarx Project:** [YSLCx/workshop\_demo](https://ast.checkmarx.net/projects/104dc642-f346-404e-9767-7c3bc21331a6/overview?branch=main)
**Repository URL:** [https://github.com/YSLCx/workshop\_demo](https://github.com/YSLCx/workshop_demo)
**Branch:** main
**Scan ID:** [85f0b871\-dd27\-420e\-95e1\-91e06302f579](https://ast.checkmarx.net/projects/104dc642-f346-404e-9767-7c3bc21331a6/scans?id=85f0b871-dd27-420e-95e1-91e06302f579&branch=main)


----
There is a weak link between the package's listed metadata and the referenced Git repository "https://github.com/moment/moment"
### About

Package managers often display traction statistics per code package based on it's related GitHub repository. This statistics helps developers to evaluate code packages.

![infographic](https://checkmarx-scs-cdn.s3.amazonaws.com/sca/infographics/starjacking.png)

The statistics displayed by the package managers do not go through any validation process. It can easily be falsified to mislead developers because of how this information is acquired.


As part of the package metadata analysis capabilities Checkmarx has, StarJacking engine verifies the authenticity of such Git repository references and in case it's a false reference, this risk is shown





----
**Additional Info**


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cx743605c8-a95e @ Npm-momnet-2.29.1 #24

About

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Cx743605c8-a95e @ Npm-momnet-2.29.1 #24

Description

About

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions