@lordgrim85/aria-coding-agent
Coding agent CLI with read, bash, edit, write tools and session management
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:steganography-image-eval | AI (semgrep): WAD file loading in examples/extensions/doom-overlay; not a steganography attack. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): 127.0.0.1 OAuth redirect URI in example extension; localhost is not suspicious. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Doom JS module loader in examples/; not runtime library code. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Desktop notification helper in examples/extensions/notify.ts; benign use of execFile. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Writing base64-decoded image data to file in example extension; standard pattern. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.70.5 | 21 / 8 |
v0.70.5
2 findingsData read from image file then executed — steganography attack pattern Source: https://github.com/LordGrim85/aria-core/blob/9aa9155ad4221133b70368b133beb79ed351f177/examples/extensions/doom-overlay/doom-engine.ts#L58 56 | 57 | // Read WAD file > 58 | const wadData = readFileSync(this.wadPath); 59 | const wadArray = Array.from(new Uint8Array(wadData)); 60 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.