@scm-manager/ui-components

UI Components for SCM-Manager and its plugins

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sdorrapfeuffercesmarvinmatthias.thieroffavetgittidiegelertzerr

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:etc-passwd-access	AI (semgrep): Fires in test files using /etc/passwd as a path fixture, not credential harvesting.	ai	2026/05/04
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IPs appear in URL validation test fixtures, not runtime network calls.	ai	2026/05/04
semgrep	semgrep:shady-links-tlds	AI (semgrep): Suspicious TLDs appear in URL validation test fixtures, not runtime code.	ai	2026/05/04

Versions (showing 17 of 17)

Version	Deps	Published
3.11.8	20 / 39	2026-04-07
3.11.7	20 / 39	2026-03-20
3.11.6	20 / 39	2026-03-11
3.11.5	20 / 39	2026-02-25
3.11.4	20 / 39	2026-02-11
3.11.3	20 / 39	2026-02-10
3.11.2	20 / 39	2026-01-12
3.11.1	20 / 39	2025-11-28
3.11.0	20 / 39	2025-09-26
3.10.3	20 / 39	2025-09-17
3.10.2	20 / 39	2025-09-02
3.10.1	20 / 39	2025-08-28
3.10.0	20 / 39	2025-08-19
3.9.0	20 / 39	2025-08-01
3.7.8	20 / 38	2026-02-25
3.7.7	20 / 38	2025-11-28
3.7.6	20 / 38	2025-08-19

v3.11.8

9 findings

HIGH etc-passwd-access: src/repos/diffs.test.ts:53 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 51 | describe("getPath tests", () => { 52 | it("should pick the new path, for type add", () => { > 53 | const file = add("/etc/passwd"); 54 | const path = getPath(file); 55 | expect(path).toBe("/etc/passwd");

HIGH etc-passwd-access: src/repos/diffs.test.ts:55 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 53 | const file = add("/etc/passwd"); 54 | const path = getPath(file); > 55 | expect(path).toBe("/etc/passwd"); 56 | }); 57 |

HIGH etc-passwd-access: src/repos/diffs.test.ts:59 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 57 | 58 | it("should pick the old path, for type delete", () => { > 59 | const file = rm("/etc/passwd"); 60 | const path = getPath(file); 61 | expect(path).toBe("/etc/passwd");

HIGH etc-passwd-access: src/repos/diffs.test.ts:61 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 59 | const file = rm("/etc/passwd"); 60 | const path = getPath(file); > 61 | expect(path).toBe("/etc/passwd"); 62 | }); 63 | });

HIGH etc-passwd-access: src/repos/diffs.test.ts:67 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 65 | describe("createHunkIdentifier tests", () => { 66 | it("should create identifier", () => { > 67 | const file = modify("/etc/passwd"); 68 | const hunk = createHunk("@@ -1,18 +1,15 @@"); 69 | const identifier = createHunkIdentifier(file, hunk);

HIGH etc-passwd-access: src/repos/diffs.test.ts:70 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 68 | const hunk = createHunk("@@ -1,18 +1,15 @@"); 69 | const identifier = createHunkIdentifier(file, hunk); > 70 | expect(identifier).toBe("modify_/etc/passwd_@@ -1,18 +1,15 @@"); 71 | }); 72 | });

HIGH etc-passwd-access: src/repos/diffs.test.ts:77 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 75 | it("should create identifier", () => { 76 | const identifier = createHunkIdentifierFromContext({ > 77 | file: rm("/etc/passwd"), 78 | hunk: createHunk("@@ -1,42 +1,39 @@"), 79 | });

HIGH etc-passwd-access: src/repos/diffs.test.ts:80 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 78 | hunk: createHunk("@@ -1,42 +1,39 @@"), 79 | }); > 80 | expect(identifier).toBe("delete_/etc/passwd_@@ -1,42 +1,39 @@"); 81 | }); 82 | });