@loopback/express
Integrate with Express and expose middleware infrastructure for sequence and interceptors
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used to dynamically name a class in middleware-interceptor; input is controlled internal className, not user data. | ai | |
| phantom-deps | phantom-dep:body-parser | AI (phantom-deps): Listed as runtime dependency; phantom-dep heuristic false positive for this framework package. | ai | |
| phantom-deps | phantom-dep:http-errors | AI (phantom-deps): Listed as runtime dependency; phantom-dep heuristic false positive for this framework package. | ai | |
| phantom-deps | phantom-dep:@types/express | AI (phantom-deps): Framework-scoped @types package; stable false positive for this TypeScript package. | ai | |
| phantom-deps | phantom-dep:@types/body-parser | AI (phantom-deps): Framework-scoped @types package; stable false positive for this TypeScript package. | ai | |
| phantom-deps | phantom-dep:@types/http-errors | AI (phantom-deps): Framework-scoped @types package; stable false positive for this TypeScript package. | ai | |
| phantom-deps | phantom-dep:@types/express-serve-static-core | AI (phantom-deps): Framework-scoped @types package; stable false positive for this TypeScript package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 8.0.12 | 12 / 9 | |
| 8.0.11 | 12 / 9 | |
| 8.0.10 | 12 / 9 | |
| 8.0.9 | 12 / 9 | |
| 8.0.8 | 12 / 9 | |
| 8.0.7 | 12 / 9 | |
| 8.0.6 | 12 / 9 | |
| 8.0.5 | 12 / 9 | |
| 8.0.4 | 12 / 9 | |
| 8.0.3 | 12 / 9 | |
| 8.0.2 | 12 / 9 | |
| 8.0.1 | 12 / 9 | |
| 8.0.0 | 12 / 9 |
v8.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.