← Home

@pyck/workflow-preview

npm Repository Homepage

CLI for previewing and building Pyck workflow UIs. Auto-discovers web components and mobile widgets from a `workflows/` directory, serves them in a dev preview with HMR, and produces Module Federation remotes for production.

2
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

christian-pyck.aimatthias.pyckmmack_pyck

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:etc-passwd-access AI (semgrep): Fires in a test file verifying path traversal is blocked; not credential harvesting. ai
phantom-deps phantom-dep:lucide-react AI (phantom-deps): CSS/config-referenced dep; stable false positive for this package. ai
phantom-deps phantom-dep:@pandacss/dev AI (phantom-deps): PandaCSS config reference; stable false positive for this package. ai
phantom-deps phantom-dep:@pyck/panda-preset AI (phantom-deps): Same-org CSS preset referenced in config; stable false positive. ai
phantom-deps phantom-dep:@pandacss/preset-base AI (phantom-deps): PandaCSS config reference; stable false positive for this package. ai
phantom-deps phantom-dep:@pandacss/preset-panda AI (phantom-deps): PandaCSS config reference; stable false positive for this package. ai

Versions (showing 2 of 2)

Version Deps Published
0.2.19 11 / 5
0.1.0 9 / 5

v0.2.19

2 findings
HIGH etc-passwd-access: src/lib/middleware.test.ts:62 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/pyck-ai/workflow-preview/blob/4ff0ac6ded8bd92d1ef1ccea58a87f8bba37b29b/src/lib/middleware.test.ts#L62 60 | 61 | test('blocks path traversal attempts', () => { > 62 | const { req, res, getStatus } = createMockReqRes('/mobile/workflows/../../etc/passwd.rfwtxt') 63 | middleware(req, res, () => {}) 64 | // Should be either 403 (traversal detected) or 404 (file not found)

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.