@stacksjs/rpx — Greenflagged

A modern and smart reverse proxy.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

chrisbreuerglenn123

Keywords

reverse proxyssldevelopmentenvironmentproxybunstackstypescriptjavascript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/index.js	AI (source-diff): Standard bundled ESM output with readable imports; not obfuscated, just minified build artifact.	ai	2026/05/21
semgrep	semgrep:silent-process-exec	AI (semgrep): Daemon spawning with detached+unref is expected behavior for a reverse proxy daemon manager.	ai	2026/05/21
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same daemon-spawn pattern; stable false positive for this package.	ai	2026/05/21
phantom-deps	phantom-dep:@stacksjs/clapp	AI (phantom-deps): Same-org dep; likely used in bundled dist rather than direct import in reviewed source.	ai	2026/05/21
typosquat	typosquat.levenshtein:pg	AI (typosquat): Scoped package @stacksjs/rpx is a reverse proxy tool; Levenshtein match to 'pg' is a false positive.	ai	2026/04/29
semgrep	semgrep:env-spread	AI (semgrep): Reverse proxy/process manager legitimately forwards process.env to child processes; expected pattern for this package.	ai	2026/04/29

Versions (showing 16 of 16)

Version	Deps	Published
0.11.17	2 / 2	2026-05-31
0.11.16	2 / 2	2026-05-31
0.11.15	2 / 2	2026-05-31
0.11.14	2 / 2	2026-05-31
0.11.13	2 / 2	2026-05-27
0.11.12	2 / 2	2026-05-27
0.11.11	2 / 2	2026-05-23
0.11.10	2 / 2	2026-05-22
0.11.9	2 / 2	2026-05-22
0.11.8	2 / 2	2026-05-22
0.11.7	2 / 2	2026-05-14
0.11.5	0 / 5	2026-05-05
0.11.4	0 / 5	2026-04-27
0.11.3	0 / 5	2026-04-21
0.11.2	0 / 5	2026-03-03
0.11.0	1 / 6	2026-02-16

v0.11.17

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.16

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.15

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.14

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.13

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.7

4 findings

HIGH New obfuscated file: dist/index.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH silent-process-exec: src/daemon.ts:389 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 387 | 388 | debugLog('daemon', `spawning daemon: ${command.join(' ')}`, verbose) > 389 | const child = nodeSpawn(command[0]!, command.slice(1), { 390 | detached: true, 391 | stdio: 'ignore',

HIGH silent-process-exec-var: src/daemon.ts:389 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) 387 | 388 | debugLog('daemon', `spawning daemon: ${command.join(' ')}`, verbose) > 389 | const child = nodeSpawn(command[0]!, command.slice(1), { 390 | detached: true, 391 | stdio: 'ignore',

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.