@pipeline-builder/api-core

Core server-side utilities (auth middleware, response helpers, error codes, quota service, HTTP client, logging, AI provider catalog) shared by every Pipeline Builder backend service.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mwashburn160

Keywords

awscodepipelinecodebuildcicdci-cddevopscdkaws-cdkcloudformationpipelinepipeline-as-codecontainerizeddockerkubernetespluginstypescriptself-servicemulti-teamcomplianceautomationinfrastructure-as-codeiaccli

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is the alternate encoding path for the same AES-256-GCM master key; no hidden payload.	ai	2026/05/26
source-diff	obfuscated-file:lib/utils/secret-encryption.js	AI (source-diff): Same pattern: inline sourcemap appended to readable compiled TypeScript output.	ai	2026/05/26
semgrep	semgrep:hex-decode	AI (semgrep): Hex decoding is legitimate key parsing for AES-256-GCM master key from env var, not payload hiding.	ai	2026/05/26
source-diff	obfuscated-file:lib/utils/metric-emitter.js	AI (source-diff): Long line is a TypeScript inline sourcemap (base64 data URI), not obfuscated logic; readable source is present above it.	ai	2026/05/26
source-diff	obfuscated-file:lib/utils/org-aws-credentials.js	AI (source-diff): Same pattern: inline sourcemap appended to readable compiled TypeScript output.	ai	2026/05/26
source-diff	obfuscated-file:lib/services/remote-audit-client.js	AI (source-diff): Same pattern: inline sourcemap appended to readable compiled TypeScript output.	ai	2026/05/26
source-diff	obfuscated-file:lib/middleware/mongo-sanitize.js	AI (source-diff): File is readable compiled TS with inline docs; long-line heuristic is a false positive for this package's build output.	ai	2026/04/29
dependencies	unvetted-dep:@asteasolutions/zod-to-openapi	AI (dependencies): @asteasolutions/zod-to-openapi is a well-known legitimate library for Zod-to-OpenAPI schema generation; not a security risk for this package.	ai	2026/04/25

Versions (showing 51 of 95)

View all versions

Version	Deps	Published
3.4.58	8 / 14	2026-06-02
3.4.57	8 / 14	2026-06-01
3.4.56	8 / 14	2026-06-01
3.4.55	8 / 14	2026-06-01
3.4.54	8 / 14	2026-05-29
3.4.42	8 / 14	2026-05-24
3.4.41	8 / 14	2026-05-24
3.4.40	8 / 14	2026-05-24
3.4.39	8 / 14	2026-05-24
3.4.38	8 / 14	2026-05-23
3.4.37	8 / 14	2026-05-23
3.4.36	5 / 14	2026-05-19
3.4.35	5 / 14	2026-05-19
3.4.34	5 / 14	2026-05-19
3.4.33	5 / 14	2026-05-19
3.4.32	5 / 14	2026-05-19
3.4.31	5 / 14	2026-05-19
3.4.30	5 / 14	2026-05-19
3.4.29	5 / 14	2026-05-18
3.4.28	5 / 14	2026-05-18
3.4.27	5 / 14	2026-05-18
3.4.26	5 / 14	2026-05-17
3.4.25	5 / 14	2026-05-17
3.4.24	5 / 14	2026-05-17
3.4.23	5 / 14	2026-05-17
3.4.22	5 / 14	2026-05-17
3.4.21	5 / 14	2026-05-17
3.4.20	5 / 14	2026-05-16
3.4.19	5 / 14	2026-05-16
3.4.18	5 / 14	2026-05-16
3.4.17	5 / 14	2026-05-11
3.4.16	5 / 14	2026-05-11
3.4.15	5 / 14	2026-05-11
3.4.14	5 / 14	2026-05-09
3.4.13	5 / 14	2026-05-09
3.4.12	5 / 14	2026-05-09
3.4.11	5 / 14	2026-05-09
3.4.10	5 / 14	2026-05-07
3.4.9	5 / 14	2026-05-07
3.4.8	5 / 14	2026-05-07
3.4.7	5 / 14	2026-05-07
3.4.6	5 / 14	2026-05-07
3.4.5	5 / 14	2026-05-06
3.4.4	5 / 14	2026-05-06
3.4.3	5 / 14	2026-05-06
3.4.2	5 / 14	2026-05-06
3.4.1	5 / 14	2026-05-06
3.4.0	5 / 14	2026-05-06
3.3.34	5 / 14	2026-05-05
3.3.33	5 / 14	2026-05-05
3.3.32	5 / 14	2026-05-03

v3.4.58

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.57

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.56

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.55

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.54

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.42

5 findings

HIGH New obfuscated file: lib/utils/metric-emitter.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/utils/org-aws-credentials.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/services/remote-audit-client.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/utils/secret-encryption.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.41