@saltcorn/server
Server app for Saltcorn, open-source no-code platform
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:semver | AI (typosquat): @saltcorn/server is a scoped package for the Saltcorn platform, not a typosquat of semver. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads locale JSON files by name from a controlled directory — not arbitrary module loading. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires inside bundled Monaco editor loader.js — standard pattern in the Monaco editor bundle. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): Eval used to execute data-on-cloned attribute callbacks in DOM — expected no-code platform behavior. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Used in restart_watcher.js for server restart functionality — legitimate server management use. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Fetches localhost (127.0.0.1) for systemd watchdog health check — not an exfiltration endpoint. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established platform package; README link dump and empty auth/index.js are artifacts of monorepo structure. | ai |
v1.5.7
2 findingsPackage name '@saltcorn/server' is 1 edit(s) away from popular package 'semver'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.6
2 findingsPackage name '@saltcorn/server' is 1 edit(s) away from popular package 'semver'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.