@nextrush/cors
CORS middleware for NextRush
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Fires only in test fixtures using file:///etc/passwd as a mock origin to validate CORS rejection logic; not production code. | ai |
v3.0.5
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux 586 | const middleware = cors({ origin: true }); 587 | const ctx = createMockContext({ > 588 | headers: { origin: 'file:///etc/passwd' }, 589 | get: vi.fn((name) => 590 | name.toLowerCase() === 'origin' ? 'file:///etc/passwd' : undefined
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 588 | headers: { origin: 'file:///etc/passwd' }, 589 | get: vi.fn((name) => > 590 | name.toLowerCase() === 'origin' ? 'file:///etc/passwd' : undefined 591 | ), 592 | });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.