← Home

@open-mercato/core

npm Repository Homepage

Build production-grade business modules on top of the Open Mercato platform.

5
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

patryk.andrzejewskipiotrkarwatka

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Used to pass env to a child integration runner process; standard pattern, not exfiltration. ai
source-diff large-new-source-files AI (source-diff): New sync_excel module accounts for the file growth; consistent with package scope. ai
semgrep semgrep:hex-decode AI (semgrep): Used in webhook HMAC signature verification with timingSafeEqual; standard security pattern. ai
typosquat typosquat.levenshtein:cors AI (typosquat): Scoped @open-mercato/core package; not a typosquat of cors — different namespace and purpose. ai
phantom-deps phantom-dep:date-fns AI (phantom-deps): date-fns is a declared runtime dependency; phantom-dep heuristic false positive. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get used to read a Symbol-keyed metadata property; standard TypeScript metadata pattern. ai
semgrep semgrep:base64-decode AI (semgrep): Used for JWT payload parsing in auth helper; no malicious payload hiding. ai

Versions (showing 5 of 5)

Version Deps Published
0.6.3 14 / 18
0.6.2 13 / 18
0.6.1 13 / 18
0.6.0 12 / 13
0.5.0 9 / 12

v0.6.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.2

2 findings
HIGH env-spread: src/helpers/integration/queue.ts:30 semgrep

Spreading entire process.env into an object — may capture all secrets 28 | const child = spawn(process.execPath, [resolveAppRunnerPath(options.appRoot)], { 29 | cwd: options.appRoot, > 30 | env: { 31 | ...process.env, 32 | OM_INTEGRATION_APP_ROOT: options.appRoot,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.