← Home

@oxlayer/snippets

npm Repository Homepage

Reusable code templates for OxLayer microservices

1
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

robertveloso

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:etc-passwd-access AI (semgrep): Strings appear in a security test template as intentional malicious-input fixtures, not actual credential harvesting code. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Raw IP (169.254.169.254) is used as a test input string in a security test template to validate SSRF protections, not a real outbound request. ai

Versions (showing 1 of 1)

Version Deps Published
0.1.0 0 / 3

v0.1.0

5 findings
HIGH etc-passwd-access: src/testing/security-tests.template.ts:162 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/testing/security-tests.template.ts#L162 160 | setupMocks(); 161 | > 162 | const maliciousInput = '../../../etc/passwd'; 163 | const result = await ${useCase}.execute({ 164 | filePath: maliciousInput,

HIGH etc-passwd-access: src/testing/security-tests.template.ts:186 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/testing/security-tests.template.ts#L186 184 | setupMocks(); 185 | > 186 | const maliciousInput = '/etc/passwd'; 187 | const result = await ${useCase}.execute({ 188 | filePath: maliciousInput,

HIGH etc-passwd-access: src/testing/security-tests.template.ts:239 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/testing/security-tests.template.ts#L239 237 | setupMocks(); 238 | > 239 | const maliciousInput = 'file.txt | cat /etc/passwd'; 240 | const result = await ${useCase}.execute({ 241 | fileName: maliciousInput,

HIGH etc-passwd-access: src/testing/security-tests.template.ts:251 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/oxlayer/ox-toolkit/blob/079b7cf2f18371f81c367d42f4d8709cd5dea4da/src/testing/security-tests.template.ts#L251 249 | setupMocks(); 250 | > 251 | const maliciousInput = 'file`cat /etc/passwd`'; 252 | const result = await ${useCase}.execute({ 253 | fileName: maliciousInput,

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.