@feasibleone/blong-gogo
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Fires inside a test asserting path-traversal is rejected with 404; not credential harvesting. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get used for generic config object path traversal; standard pattern, not obfuscation. | ai | |
| phantom-deps | phantom-dep:mysql2 | AI (phantom-deps): Config-file reference only; phantom-dep heuristic false positive for optional/peer deps. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Hardcoded 127.0.0.1:8200 is the standard HashiCorp Vault default endpoint; not exfiltration. | ai | |
| phantom-deps | phantom-dep:@feasibleone/blong-kopi | AI (phantom-deps): Same org scope; likely a sibling package used indirectly via config, not a direct import. | ai | |
| phantom-deps | phantom-dep:ajv-formats | AI (phantom-deps): Config-file reference only; stable false positive for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 used to decode a permission map in JWT construction; no obfuscation or exfiltration pattern. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 1.25.1 | 50 / 9 | |
| 1.23.0 | 50 / 8 | |
| 1.19.0 | 50 / 8 | |
| 1.14.1 | 49 / 6 | |
| 1.12.2 | 50 / 6 | |
| 1.12.1 | 50 / 6 | |
| 1.12.0 | 50 / 6 | |
| 1.11.2 | 50 / 6 | |
| 1.11.1 | 50 / 6 | |
| 1.11.0 | 50 / 6 | |
| 1.10.4 | 50 / 6 | |
| 1.10.3 | 50 / 6 | |
| 1.10.2 | 50 / 6 | |
| 1.10.1 | 50 / 6 | |
| 1.10.0 | 50 / 6 | |
| 1.9.3 | 50 / 6 | |
| 1.9.2 | 50 / 6 | |
| 1.9.1 | 50 / 6 | |
| 1.9.0 | 50 / 6 | |
| 1.8.1 | 50 / 6 | |
| 1.8.0 | 50 / 6 | |
| 1.7.3 | 50 / 6 | |
| 1.7.2 | 50 / 6 | |
| 1.7.1 | 50 / 6 | |
| 1.7.0 | 50 / 6 | |
| 1.6.7 | 50 / 6 | |
| 1.6.6 | 50 / 6 |
v1.25.1
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 204 | const res = await server.inject({ 205 | method: 'GET', > 206 | url: '/api/fs/stat/../../../etc/passwd', 207 | }); 208 | assert.strictEqual(res.statusCode, 404);
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 228 | method: 'POST', 229 | url: '/api/fs/rename', > 230 | payload: {oldPath: '../../etc/passwd', newPath: 'safe.txt'}, 231 | }); 232 | assert.strictEqual(res.statusCode, 403);
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.0
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 190 | 191 | it('rejects .. traversal in URL (Fastify normalizes → 404)', async () => { > 192 | const res = await server.inject({method: 'GET', url: '/api/fs/stat/../../../etc/passwd'}); 193 | assert.strictEqual(res.statusCode, 404); 194 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 213 | method: 'POST', 214 | url: '/api/fs/rename', > 215 | payload: {oldPath: '../../etc/passwd', newPath: 'safe.txt'}, 216 | }); 217 | assert.strictEqual(res.statusCode, 403);
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.19.0
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 190 | 191 | it('rejects .. traversal in URL (Fastify normalizes → 404)', async () => { > 192 | const res = await server.inject({method: 'GET', url: '/api/fs/stat/../../../etc/passwd'}); 193 | assert.strictEqual(res.statusCode, 404); 194 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 213 | method: 'POST', 214 | url: '/api/fs/rename', > 215 | payload: {oldPath: '../../etc/passwd', newPath: 'safe.txt'}, 216 | }); 217 | assert.strictEqual(res.statusCode, 403);
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.