{"package":"marko","ecosystem":"npm","latest_version":"5.38.37","description":"UI Components + streaming, async, high performance, HTML templating for Node.js and the browser.","license":"MIT","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://markojs.com/","repository":"https://github.com/marko-js/marko","downloads_weekly":null,"health":{"score":68,"risk":"moderate","breakdown":{"maintenance":25,"popularity":0,"security":23,"maturity":15,"community":5},"deprecated":false,"max_score":100},"vulnerabilities":{"count":1,"critical":0,"high":0,"medium":1,"low":0,"details":[{"vuln_id":"CVE-2026-41591","severity":"medium","summary":"Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping","affected_versions":"<5.38.36|<6.0.164","fixed_version":"6.0.164","source":"osv","published_at":"2026-04-22T19:55:51Z","in_kev":false,"threat_tier":"unknown"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"5.38.37","total_count":1289,"recent":["6.0.156","5.38.31","6.0.157","5.38.32","6.0.158","5.38.33","6.0.159","5.38.34","6.0.160","6.0.161","5.38.35","6.0.162","6.0.163","5.38.36","6.0.164","6.0.165","6.0.166","5.38.37","6.0.167","6.0.168"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":7,"first_published":"2014-09-17T15:37:36.890Z","last_published":"2026-04-24T23:26:07.764Z","dependencies_count":15,"dependencies":["argly","warp10","csstype","complain","minimatch","raptor-util","events-light","magic-string","resolve-from","@marko/compiler","app-module-path","listener-tracker","self-closing-tags","@marko/runtime-tags","browser-refresh-client"]},"github_stats":null,"bundle":null,"typescript":{"score":10,"has_types":true,"types_source":"bundled","types_package":null},"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"safe_to_use","issues":[],"use_version":"5.38.37","version_hint":"Update to >= 6.0.164 to fix known vulnerabilities","summary":"marko@5.38.37 is safe to use (health: 68/100)"},"version_scoped":null,"requested_version":null,"_cache":"miss","_response_ms":562,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":4243,"last_release_days_ago":6,"avg_days_between_releases":223,"release_velocity":"active"},"popularity_warning":{"this_ecosystem_downloads":0,"more_popular_in":{"ecosystem":"pypi","downloads_weekly":1087766},"hint":"This is the npm package 'marko' (0 dl/week). A much more popular package with the same name exists in pypi (1,087,766 dl/week). Confirm you queried the right ecosystem."}}