{"package":"antilles-tools","ecosystem":"pypi","latest_version":"1.0.0","description":"Tools collection for antilles project","license":"BSD-3 and EPL-1.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pypi.org/project/antilles-tools/","repository":"","downloads_weekly":0,"health":{"score":20,"risk":"critical","breakdown":{"maintenance":0,"popularity":0,"security":20,"maturity":0,"community":0},"deprecated":false,"max_score":100},"vulnerabilities":{"count":2,"critical":0,"high":1,"medium":0,"low":1,"details":[{"vuln_id":"CVE-2021-3840","severity":"high","summary":"Antilles Dependency Confusion Vulnerability","affected_versions":"<1.0.1|=1.0.0","fixed_version":"1.0.1","source":"osv","published_at":"2021-11-03T17:36:22Z","in_kev":false,"epss_prob":0.0118,"epss_percentile":0.78831,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-3840","severity":"unknown","summary":"A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi","affected_versions":"<1.0.1|=1.0.0","fixed_version":"1.0.1","source":"osv","published_at":"2021-11-12T22:15:00Z","in_kev":false,"epss_prob":0.0118,"epss_percentile":0.78831,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"1.0.0","total_count":1,"recent":["1.0.0"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":0,"first_published":null,"last_published":"2021-09-27T04:38:25.542779Z","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"update_required","issues":["Moderate health score (20/100) — verify manually","1 high severity vulnerabilities"],"use_version":"1.0.0","version_hint":"Update to >= 1.0.1 to fix known vulnerabilities","summary":"antilles-tools@1.0.0 has vulnerabilities — update to latest"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":1,"first_release_age_days":null,"last_release_days_ago":1678,"avg_days_between_releases":null,"release_velocity":"stale"}}