chore(deps): update devdependencies (non-major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@types/node (source)	26.0.0 → 26.0.1
sharp (source, changelog)	^0.34.5 → ^0.35.0

---

Release Notes

lovell/sharp (sharp)

v0.35.2

Compare Source

v0.35.1

Compare Source

• TypeScript: Ensure type definitions are published for both ESM and CJS.
  #​4537

• WebAssembly: Ensure wrapper file is published.
  #​4538

v0.35.0

Compare Source

• Breaking: Drop support for Node.js 18, now requires Node.js >= 20.9.0.

• Breaking: Remove install script from package.json file.
  Compiling from source is now opt-in via the build script.

• Breaking: Lossy AVIF output is now tuned using SSIMULACRA2-based iq quality metrics.

• Breaking: Add limitInputChannels with a default value of 5.

• Breaking: Remove deprecated failOnError constructor property.

• Breaking: Remove deprecated paletteBitDepth from metadata response.

• Breaking: Remove deprecated properties from sharpen operation.

• Breaking: Rename format.jp2k as format.jp2 for API consistency.

• Upgrade to libvips v8.18.3 for upstream bug fixes.

• Remove experimental status from WebAssembly binaries.

• Add prebuilt binaries for FreeBSD (WebAssembly).

• Deprecate Windows 32-bit (win32-ia32) prebuilt binaries.

• Ensure TIFF output bitdepth option is limited to 1, 2 or 4.

• Add AVIF/HEIF tune option for control over quality metrics.
  #​4227

• Add keepGainMap and withGainMap to process HDR JPEG images with embedded gain maps.
  #​4314

• Add toUint8Array for output image as a TypedArray backed by a transferable ArrayBuffer.
  #​4355

• Require prebuilt binaries using static paths to aid code bundling.
  #​4380

• TypeScript: Ensure FormatEnum keys match reality.
  #​4475

• Add margin option to trim operation.
  #​4480
  @​eddienubes

• Ensure HEIF primary item is used as default page/frame.
  #​4487

• Add image Media Type (MIME Type) to metadata response.
  #​4492

• Add withDensity to set output density in EXIF metadata.
  #​4496

• Improve pkg-config path discovery.
  #​4504

• Add WebP exact option for control over transparent pixel colour values.

• Add support for ECMAScript Modules (ESM).
  #​4509
  @​florian-lefebvre

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@emnapi/runtime	1.11.1	🟢 3.4	Details Check Score Reason Code-Review ⚠️ 0 Found 1/30 approved changesets -- score normalized to 0 Maintained 🟢 10 27 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-darwin-arm64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-darwin-x64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-freebsd-wasm32	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-libvips-darwin-arm64	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-darwin-x64	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-linux-arm	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-linux-arm64	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-linux-ppc64	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-linux-riscv64	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-linux-s390x	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-linux-x64	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-linuxmusl-arm64	1.3.1	Unknown	Unknown
npm/@img/sharp-libvips-linuxmusl-x64	1.3.1	Unknown	Unknown
npm/@img/sharp-linux-arm	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-linux-arm64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-linux-ppc64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-linux-riscv64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-linux-s390x	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-linux-x64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-linuxmusl-arm64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-linuxmusl-x64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-wasm32	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-webcontainers-wasm32	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-win32-arm64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-win32-ia32	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@img/sharp-win32-x64	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@types/node	26.0.1	Unknown	Unknown
npm/sharp	0.35.2	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 2 Found 8/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package-lock.json