@serve.zone/remoteingress
Edge ingress tunnel for DcRouter - tunnels TCP and UDP traffic from the network edge to SmartProxy over TLS or QUIC, preserving client IP via PROXY protocol.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): Package explicitly builds and ships Rust binaries (tsrust build step); linux amd64/arm64 binaries are the expected output. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode is standard JWT/token parsing (Buffer.from → JSON.parse); no obfuscation or exfiltration pattern. | ai | |
| phantom-deps | phantom-dep:@push.rocks/qenv | AI (phantom-deps): @push.rocks/qenv is a declared runtime dependency; phantom-dep heuristic false positive for this package. | ai |
v4.17.1
2 findingsPackage contains compiled binaries that could be backdoors: • dist_rust/remoteingress-bin_linux_amd64 • dist_rust/remoteingress-bin_linux_arm64
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.17.0
2 findingsPackage contains compiled binaries that could be backdoors: • dist_rust/remoteingress-bin_linux_amd64 • dist_rust/remoteingress-bin_linux_arm64
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.