@almadar/server — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

javasop

Keywords

almadarserverexpressmiddleware

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
typosquat	typosquat.levenshtein:semver	AI (typosquat): '@almadar/server' is a scoped server infrastructure package for the Almadar ecosystem; similarity to 'semver' is purely coincidental and not an impersonation attempt.	ai	2026/04/27
phantom-deps	phantom-dep:cors	AI (phantom-deps): cors is a legitimate declared dependency for an Express server library; likely used indirectly through middleware exports rather than direct top-level imports.	ai	2026/04/27
phantom-deps	phantom-dep:helmet	AI (phantom-deps): helmet is a legitimate declared dependency for an Express server library; likely used indirectly through middleware exports rather than direct top-level imports.	ai	2026/04/27

Versions (showing 25 of 25)

Version	Deps	Published
2.14.0	9 / 14	2026-06-06
2.13.0	9 / 14	2026-06-04
2.12.1	9 / 14	2026-06-02
2.11.0	9 / 14	2026-05-12
2.10.0	9 / 14	2026-05-12
2.9.0	8 / 14	2026-05-05
2.8.0	8 / 14	2026-05-05
2.7.3	8 / 14	2026-05-03
2.7.2	8 / 14	2026-05-02
2.7.0	8 / 14	2026-04-30
2.6.0	8 / 14	2026-04-27
2.5.0	8 / 14	2026-04-25
2.4.0	8 / 14	2026-04-21
2.3.6	8 / 14	2026-04-19
2.3.5	8 / 14	2026-04-08
2.3.4	8 / 14	2026-04-05
2.3.3	8 / 14	2026-04-05
2.3.1	8 / 14	2026-04-05
2.3.0	8 / 14	2026-04-05
2.2.0	8 / 14	2026-03-31
1.0.13	6 / 9	2026-02-10
1.0.12	6 / 9	2026-02-09
1.0.10	6 / 9	2026-02-09
1.0.9	6 / 9	2026-02-09
1.0.0	6 / 9	2026-02-04