← Home

@budibase/backend-core

npm

Budibase backend core libraries used in server and worker

15
Versions
GPL-3.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

melbudibasepclmntjoranamochristos-budibase

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
license copyleft-license:GPL-3.0 AI (license): GPL-3.0 is the declared license; stable for this package. ai
publish-pattern dormant-publish AI (publish-pattern): Active Budibase monorepo sub-package; publish gaps are expected and not indicative of takeover. ai
dependencies unvetted-dep:pouchdb-find AI (dependencies): Official PouchDB query plugin; stable and expected alongside pouchdb dependency. ai
dependencies unvetted-dep:@budibase/nano AI (dependencies): Budibase-maintained CouchDB client fork; expected in Budibase backend-core. ai
dependencies unvetted-dep:correlation-id AI (dependencies): Standard request correlation library; benign for backend logging. ai
dependencies unvetted-dep:koa-pino-logger AI (dependencies): Standard Koa logging middleware; consistent with koa usage in this package. ai
dependencies unvetted-dep:aws-cloudfront-sign AI (dependencies): CloudFront URL signing utility; expected in AWS-integrated backend. ai
dependencies unvetted-dep:bull AI (dependencies): Legitimate Redis-backed job queue; consistent with backend-core usage across many versions. ai
dependencies unvetted-dep:sanitize-s3-objectkey AI (dependencies): Small S3 key sanitization utility; consistent with S3 usage in this package. ai
dependencies unvetted-dep:passport-oauth2-refresh AI (dependencies): Standard OAuth2 token refresh for Passport.js; expected for auth. ai
dependencies unvetted-dep:@govtechsg/passport-openidconnect AI (dependencies): OpenID Connect Passport strategy; expected for SSO/OIDC support. ai
dependencies unvetted-dep:@budibase/pouchdb-replication-stream AI (dependencies): Budibase-maintained PouchDB replication fork; expected in Budibase backend-core. ai
provenance no-provenance AI (provenance): Established Budibase monorepo package; lack of provenance is consistent across all its versions. ai
dependencies unvetted-dep:passport-google-oauth AI (dependencies): Official Passport.js Google OAuth strategy; expected for auth features. ai
dependencies unvetted-dep:redlock AI (dependencies): Standard distributed lock library for Redis; expected in backend-core. ai

Versions (showing 15 of 15)

Version Deps Published
3.38.5 44 / 18
3.38.4 44 / 18
3.38.2 44 / 18
3.37.5 44 / 18
3.37.4 44 / 18
3.37.3 44 / 18
3.37.2 44 / 18
3.37.1 44 / 18
3.37.0 44 / 18
3.36.5 44 / 18
3.36.4 44 / 18
3.36.3 44 / 18
3.36.2 44 / 18
3.36.1 44 / 18
3.35.10 44 / 18

v3.38.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.38.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.38.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.37.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.37.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.37.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.37.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.37.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.36.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.36.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.