@steedos/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:jsen | AI (dependencies): jsen is a JSON schema validator; stable, benign dependency used across many steedos versions. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex encoding/decoding in a crypto module is standard AES-GCM decryption, not obfuscation. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in keychain implementation for OS credential storage — expected for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require used to load registered server scripts — documented plugin/extension pattern for this platform. | ai | |
| phantom-deps | phantom-dep:jsen | AI (phantom-deps): Declared in package.json as a runtime dep; phantom-dep heuristic false positive for this package. | ai | |
| phantom-deps | phantom-dep:cookies | AI (phantom-deps): Stable false positive; dependency used transitively or via config in this platform package. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @steedos/core is a long-established scoped package, not a typosquat of 'cors'. | ai | |
| phantom-deps | phantom-dep:body-parser | AI (phantom-deps): Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:simpl-schema | AI (phantom-deps): Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:express-session | AI (phantom-deps): Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:routing-controllers | AI (phantom-deps): Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@steedos/standard-objects | AI (phantom-deps): Same-org scoped package; phantom-dep heuristic not applicable here. | ai | |
| phantom-deps | phantom-dep:mongodb | AI (phantom-deps): Stable false positive; mongodb is a peer/runtime dep used via config in this platform. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 2.7.32 | 27 / 9 | |
| 2.7.31 | 27 / 9 | |
| 2.7.30 | 27 / 9 | |
| 2.7.29 | 27 / 9 | |
| 2.7.28 | 27 / 9 | |
| 2.7.27 | 27 / 9 | |
| 2.7.25 | 27 / 9 | |
| 2.7.24 | 27 / 9 | |
| 2.7.19 | 27 / 9 | |
| 2.7.18 | 27 / 9 |
v2.7.32
2 findingsPackage name '@steedos/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.31
2 findingsPackage name '@steedos/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.30
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.29
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.28
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.27
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.