@budibase/server
Budibase Web Server
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:client/chunks/apexcharts.common-C95zIOBM.js | AI (source-diff): Standard Vite-bundled apexcharts library chunk; minification is expected for this build artifact. | ai | |
| source-diff | obfuscated-file:client/chunks/Calendar-CN43qmva.js | AI (source-diff): Vite-bundled calendar UI chunk; minification is expected for this build artifact. | ai | |
| source-diff | obfuscated-file:builder/assets/easymde-BtC5_LAF.js | AI (source-diff): Vite-bundled easymde markdown editor chunk; minification is expected. | ai | |
| source-diff | obfuscated-file:client/chunks/easymde-Dy0fQBFB.js | AI (source-diff): Vite-bundled easymde markdown editor chunk; minification is expected. | ai | |
| source-diff | obfuscated-file:client/chunks/EmbeddedMap-QPeaSkZX.js | AI (source-diff): Vite-bundled Leaflet map chunk; minification is expected for this build artifact. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval used in in-memory PouchDB view engine to reconstruct map functions; documented workaround for cloud eval issues. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get used in test assertions to access dynamic tool properties; not obfuscation. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require for app plugin loading is a documented pattern in Budibase's plugin system. | ai | |
| phantom-deps | phantom-dep:knex | AI (phantom-deps): Large server package; knex likely used transitively or via config-driven loading. | ai | |
| phantom-deps | phantom-dep:redis | AI (phantom-deps): Redis used via backend-core abstraction layer, not direct import. | ai | |
| phantom-deps | phantom-dep:bcrypt | AI (phantom-deps): bcrypt used via backend-core; indirect import pattern stable for this package. | ai | |
| typosquat | typosquat.levenshtein:semver | AI (typosquat): @budibase/server is a scoped package from the Budibase org, not a typosquat of semver. | ai | |
| phantom-deps | phantom-dep:pouchdb | AI (phantom-deps): PouchDB used via @budibase/nano abstraction; indirect import is expected. | ai | |
| phantom-deps | phantom-dep:@koa/cors | AI (phantom-deps): Koa middleware loaded via framework convention, not direct import. | ai | |
| phantom-deps | phantom-dep:jsonwebtoken | AI (phantom-deps): JWT handling delegated to backend-core; indirect import stable for this package. | ai | |
| phantom-deps | phantom-dep:koa2-ratelimit | AI (phantom-deps): Rate limiting middleware loaded via config; indirect import pattern stable. | ai | |
| phantom-deps | phantom-dep:@budibase/frontend-core | AI (phantom-deps): Same-org scoped package; used as build artifact dependency, not direct import. | ai | |
| phantom-deps | phantom-dep:openai | AI (phantom-deps): openai loaded dynamically via AI integration layer; stable indirect pattern. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): process.env spread into worker options is standard Node.js worker forking pattern for this server package. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding in mock/test files for crypto key construction; not a runtime payload concern. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode in bundled client chunk for source map handling; standard build artifact pattern. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP (169.254.169.254) appears in a test spec as an SSRF test fixture URL, not production code. | ai |
v3.37.2
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.