Home/git-town/Trust report

Trust and health report

git-town - trust report

Sourced, dated trust signals - maintenance label posture, repository provenance, and security scan status. Not a composite safety grade.

GraphCanon updated today · GitHub synced today

Maintenance

Recency and activity heuristics from public GitHub metadata (maintenance label, momentum); methodology: github_public_v1.

Active82% signal

last push 7d ago · last release 3w · 4 releases (90d)

Provenance

Repository identity and fork provenance (github_public_v1).

Security intelligence

Source-by-source security scan results from public intelligence providers. Missing, partial, or failed queries are shown explicitly and are not treated as clean.

OSV dependency advisories

Published findings
Last query
today
Scanner
osv@v1
Stored findings
25
View source evidence

deps.dev advisories

Not queried
Scanner
deps.dev@v1
View source evidence

OpenSSF Scorecard

Not queried
Scanner
openssf-scorecard@v1

Weekly public scans omit some checks at scale.

View source evidence

Dependency advisories (deduplicated)

GHSA-q6x5-8v7m-xcrf
@protobufjs/utf8@1.1.0 · osv@v1
package-lock.json
GHSA-f886-m6hf-6m8v
brace-expansion@1.1.12 · osv@v1
package-lock.json
GHSA-22p9-wv53-3rq4
linkify-it@5.0.0 · osv@v1
package-lock.json
GHSA-f23m-r3pf-42rh
lodash@4.17.21 · osv@v1
package-lock.json
GHSA-r5fr-rjxr-66jc
lodash@4.17.21 · osv@v1
package-lock.json
GHSA-xxjr-mmjv-4gpg
lodash@4.17.21 · osv@v1
package-lock.json
GHSA-38c4-r59v-3vqw
markdown-it@14.1.0 · osv@v1
package-lock.json
GHSA-6v5v-wf23-fmfq
markdown-it@14.1.0 · osv@v1
package-lock.json
GHSA-23c5-xmqv-rm74
minimatch@3.1.2 · osv@v1
package-lock.json
GHSA-3ppc-4f35-3m26
minimatch@3.1.2 · osv@v1
package-lock.json
GHSA-7r86-cg39-jmmj
minimatch@3.1.2 · osv@v1
package-lock.json
GHSA-3v7f-55p6-f55p
picomatch@2.3.1 · osv@v1
package-lock.json
GHSA-c2c7-rcm5-vvqj
picomatch@2.3.1 · osv@v1
package-lock.json
GHSA-2pr8-phx7-x9h3
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-66ff-xgx4-vchm
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-685m-2w69-288q
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-75px-5xx7-5xc7
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-f38q-mgvj-vph7
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-fx83-v9x8-x52w
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-jggg-4jg4-v7c6
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-jvwf-75h9-cwgg
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-wcpc-wj8m-hjx6
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-xq3m-2v4x-88gg
protobufjs@6.11.4 · osv@v1
package-lock.json
GHSA-ph9p-34f9-6g65
tmp@0.2.5 · osv@v1
package-lock.json
GHSA-w5hq-g745-h8pq
uuid@3.4.0 · osv@v1
package-lock.json

Method and caveats: these are sourced, dated heuristics from public GitHub data and external security intelligence providers. A status like "no published findings from this source" is not a guarantee of safety. Read the full trust methodology · JSON report at /api/graphcanon/tools/git-town-git-town/trust.

Common questions

Is git-town maintained?
GraphCanon rates git-town "Active" (82% maintenance signal from public GitHub metadata, computed today). Last push was 7 days ago. 4 GitHub releases in the last 90 days. This is a recency heuristic, not a guarantee the project will stay maintained.
Is git-town safe to use?
Last scanned today (deps profile). Status: 25 low - 25 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report. GraphCanon does not certify git-town as safe - review maintenance, provenance, and scan findings on this page before adopting.
Is git-town a fork?
No. git-town is not flagged as a fork in GitHub metadata at the time of the last refresh.
Does git-town have known security vulnerabilities?
Last scanned today (deps profile). Status: 25 low - 25 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report.
How often is the git-town trust report updated?
Trust signals refresh on GitHub ingest/refresh cycles and optional dependency/MCP scans. This report was computed today (methodology github_public_v1).
What does GraphCanon never claim about git-town?
We never publish a composite safety grade, pen-test endorsement, or "verified secure" label for git-town. Signals are sourced heuristics with explicit limits - see trust methodology.
How does GraphCanon assess trust for git-town?
Signals are sourced from public GitHub metadata and optional dependency/MCP manifest scans, each tagged with methodology version and computed date. GraphCanon does not publish a composite safety grade. Read trust methodology for full scope and limits.

Was this helpful?

Anonymous feedback helps us improve pages and translations.