← Home

@ray-js/robot-map-sdk

npm

A high-performance 2D robot vacuum cleaner map SDK based on PIXI.js.

4
Versions
MIT
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tuyafe

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:@ray-js/robot-protocol AI (dependencies): Same Tuya/@ray-js org scope; consistent with package's ecosystem. ai
dependencies unvetted-dep:@ray-js/webview-invoke AI (dependencies): Same Tuya/@ray-js org scope; consistent with package's ecosystem. ai
phantom-deps phantom-dep:gifuct-js AI (phantom-deps): Same bundler/config usage pattern; stable false positive. ai
phantom-deps phantom-dep:valtio AI (phantom-deps): Same bundler/config usage pattern; stable false positive. ai
phantom-deps phantom-dep:lodash-es AI (phantom-deps): Same bundler/config usage pattern; stable false positive. ai
phantom-deps phantom-dep:normalize.css AI (phantom-deps): CSS dep referenced via config; stable false positive. ai
phantom-deps phantom-dep:patch-package AI (phantom-deps): Used in postinstall script, not a direct import; stable false positive. ai
phantom-deps phantom-dep:@ray-js/webview-invoke AI (phantom-deps): Same-org dep; likely re-exported or used indirectly via bundler; stable false positive. ai
phantom-deps phantom-dep:nanoid AI (phantom-deps): Declared runtime dep used via bundler/config, not direct import; stable pattern for this package. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires in bundled VitePress/WebGL dist-docs assets (Vue framework + BufferResource shader compiler), not user-facing library code. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Fires in bundled Vue 3 framework code in dist-docs; Reflect.get is idiomatic Vue reactivity internals. ai
semgrep semgrep:silent-process-exec-var AI (semgrep): Same docs-server.js context; expected behavior for a background server process. ai
semgrep semgrep:silent-process-exec AI (semgrep): Detached spawn is in bin/docs-server.js (dev docs server binary), not runtime library code. ai
install-scripts install-script:postinstall AI (install-scripts): patch-package postinstall is a standard dependency-patching pattern; stable for this package. ai

Versions (showing 4 of 4)

Version Deps Published
0.0.14 11 / 30
0.0.4 10 / 23
0.0.3 10 / 23
0.0.2 10 / 23

v0.0.14

4 findings
HIGH Package has 'postinstall' script install-scripts

Script: patch-package

HIGH silent-process-exec: bin/docs-server.js:208 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 206 | 207 | return new Promise((resolve, reject) => { > 208 | const child = spawn(cmd, args, { 209 | detached: true, 210 | stdio: 'ignore',

HIGH silent-process-exec-var: bin/docs-server.js:208 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 206 | 207 | return new Promise((resolve, reject) => { > 208 | const child = spawn(cmd, args, { 209 | detached: true, 210 | stdio: 'ignore',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.