← Home

@deno/eszip

npm Repository Homepage
1
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rykt3kdsherretdivy-workdenobot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:etc-passwd-access AI (semgrep): Fires on JSDoc example code in @std/io docs, not executable credential harvesting; stable false positive for this package. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get in WASM JS glue code (@deno/cache-dir generated bindings); standard pattern, not obfuscation. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() in WASM JS glue code (@deno/graph generated bindings); standard WASM interop pattern. ai

Versions (showing 1 of 1)

Version Deps Published
0.106.0 2 / 2

v0.106.0

5 findings
HIGH etc-passwd-access: esm/deps/jsr.io/@std/io/0.218.2/iterate_reader.js:11 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/denoland/eszip/blob/8b0304566bcf8d14c42a7dae70e9c162fdd9c782/esm/deps/jsr.io/@std/io/0.218.2/iterate_reader.js#L11 9 | * import { iterateReader } from "@std/io/iterate_reader"; 10 | * > 11 | * using file = await Deno.open("/etc/passwd"); 12 | * for await (const chunk of iterateReader(file)) { 13 | * console.log(chunk);

HIGH etc-passwd-access: esm/deps/jsr.io/@std/io/0.218.2/iterate_reader.js:24 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/denoland/eszip/blob/8b0304566bcf8d14c42a7dae70e9c162fdd9c782/esm/deps/jsr.io/@std/io/0.218.2/iterate_reader.js#L24 22 | * import { iterateReader } from "@std/io/iterate_reader"; 23 | * > 24 | * using file = await Deno.open("/etc/passwd"); 25 | * const iter = iterateReader(file, { 26 | * bufSize: 1024 * 1024

HIGH etc-passwd-access: esm/deps/jsr.io/@std/io/0.218.2/iterate_reader.js:50 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/denoland/eszip/blob/8b0304566bcf8d14c42a7dae70e9c162fdd9c782/esm/deps/jsr.io/@std/io/0.218.2/iterate_reader.js#L50 48 | * import { iterateReaderSync } from "@std/io/iterate_reader"; 49 | * > 50 | * using file = Deno.openSync("/etc/passwd"); 51 | * for (const chunk of iterateReaderSync(file)) { 52 | * console.log(chunk);

HIGH etc-passwd-access: esm/deps/jsr.io/@std/io/0.218.2/iterate_reader.js:62 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/denoland/eszip/blob/8b0304566bcf8d14c42a7dae70e9c162fdd9c782/esm/deps/jsr.io/@std/io/0.218.2/iterate_reader.js#L62 60 | * import { iterateReaderSync } from "@std/io/iterate_reader"; 61 | > 62 | * using file = await Deno.open("/etc/passwd"); 63 | * const iter = iterateReaderSync(file, { 64 | * bufSize: 1024 * 1024

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.