@steedos/server
Steedos Server 是一个基于 Nestjs 的 Web 服务器,用于处理 Steedos 应用程序的 API 请求。替代了 Steedos 2.x 中的 Meteor Server。
10
Versions
AGPL-3.0-only
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
steedos-zhuangjianguosteedos-baozhoutaochenzhipeiyinlianghuisteedos-sunhaolin
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:pino-http | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:@nestjs/passport | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:@builder6/server | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:class-validator | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/multer | AI (phantom-deps): Type-only package; framework-scoped, stable false positive. | ai | |
| phantom-deps | phantom-dep:raw-body | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:@builder6/cli | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:pino-pretty | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:dotenv-flow | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:@nestjs/jwt | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:mime-types | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:nopt | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:redis | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:multer | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:sha256 | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:aws-sdk | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:mongodb | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): NestJS server package; deps loaded by convention/config, not direct import. | ai | |
| dependencies | unvetted-dep:@builder6/sharepoint | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/cli | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@builder6/core | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/docs | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/oidc | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/email | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/files | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/pages | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/rooms | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/server | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/tables | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/steedos | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/services | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/moleculer | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/onlyoffice | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/microservices | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/oidc-provider | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:@builder6/query-mongodb | AI (dependencies): First-party @builder6 ecosystem dep from same publisher org. | ai | |
| dependencies | unvetted-dep:moleculer | AI (dependencies): Well-known microservices framework; stable dep for this package. | ai | |
| dependencies | unvetted-dep:@nestjs/platform-ws | AI (dependencies): Official NestJS scoped package; stable dep for this package. | ai | |
| phantom-deps | phantom-dep:hbs | AI (phantom-deps): Server-side template engine declared as peer/optional dep; loaded by convention in NestJS apps. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): Config loading dep referenced in config files; stable false positive. | ai | |
| phantom-deps | phantom-dep:passport-local | AI (phantom-deps): Passport strategy loaded by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:passport | AI (phantom-deps): Auth middleware loaded by @nestjs/passport convention. | ai | |
| phantom-deps | phantom-dep:pino | AI (phantom-deps): Logging library used via nestjs-pino; loaded by convention. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Validation library referenced in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): Framework-level implicit dep; stable pattern for this NestJS server package. | ai | |
| phantom-deps | phantom-dep:regenerator-runtime | AI (phantom-deps): Known implicit runtime dep; stable for this package. | ai | |
| phantom-deps | phantom-dep:reflect-metadata | AI (phantom-deps): Known NestJS/TypeScript decorator runtime dep; stable. | ai | |
| phantom-deps | phantom-dep:rxjs | AI (phantom-deps): NestJS core implicit dep; stable for this package. | ai | |
| typosquat | typosquat.levenshtein:semver | AI (typosquat): Scoped @steedos package with 249 versions; name collision with 'semver' is coincidental, not impersonation. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 3.0.13 | 72 / 20 | |
| 3.0.12 | 72 / 20 | |
| 3.0.10 | 72 / 20 | |
| 3.0.9 | 72 / 20 | |
| 3.0.7 | 73 / 20 | |
| 3.0.6 | 73 / 20 | |
| 3.0.4 | 73 / 20 | |
| 3.0.3 | 73 / 20 | |
| 3.0.1 | 74 / 20 | |
| 3.0.0 | 74 / 20 |
v3.0.13
2 findings
HIGH
typosquat.levenshtein: Possible typosquat of 'semver'
typosquat
Package name '@steedos/server' is 1 edit(s) away from popular package 'semver'.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.12
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.10
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.9
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.7
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.