@supernova-studio/client
Supernova Data Models
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Flagged line is a test fixture string for directory traversal validation, not actual /etc/passwd access. | ai | |
| phantom-deps | phantom-dep:y-protocols | AI (phantom-deps): y-protocols is a peer/transitive dep of yjs ecosystem; phantom detection is a stable false positive here. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 816-version history and 2 approved dependents indicate legitimate active SDK; single dormancy gap is not anomalous. | ai | |
| phantom-deps | phantom-dep:yjs | AI (phantom-deps): yjs is a declared runtime dep used transitively; phantom-dep heuristic fires but it's a legitimate dependency. | ai | |
| phantom-deps | phantom-dep:queue-promise | AI (phantom-deps): queue-promise is a declared runtime dep; phantom-dep heuristic is a false positive for this package. | ai |
Versions (showing 35 of 35)
| Version | Deps | Published |
|---|---|---|
| 1.96.7 | 9 / 5 | |
| 1.96.6 | 7 / 2 | |
| 1.96.5 | 7 / 2 | |
| 1.96.4 | 7 / 2 | |
| 1.96.3 | 7 / 2 | |
| 1.96.2 | 7 / 2 | |
| 1.96.1 | 7 / 2 | |
| 1.96.0 | 7 / 2 | |
| 1.95.5 | 7 / 2 | |
| 1.95.4 | 7 / 2 | |
| 1.95.3 | 7 / 2 | |
| 1.95.2 | 7 / 2 | |
| 1.95.1 | 7 / 2 | |
| 1.95.0 | 7 / 2 | |
| 1.94.1 | 7 / 2 | |
| 1.94.0 | 7 / 2 | |
| 1.93.0 | 7 / 2 | |
| 1.92.3 | 7 / 2 | |
| 1.92.2 | 7 / 2 | |
| 1.92.1 | 7 / 2 | |
| 1.92.0 | 7 / 2 | |
| 1.91.0 | 7 / 2 | |
| 1.90.7 | 7 / 2 | |
| 1.90.6 | 7 / 2 | |
| 1.90.5 | 7 / 2 | |
| 1.90.4 | 7 / 2 | |
| 1.90.3 | 7 / 2 | |
| 1.90.2 | 7 / 2 | |
| 1.90.1 | 7 / 2 | |
| 1.90.0 | 7 / 2 | |
| 1.89.0 | 7 / 2 | |
| 1.88.2 | 7 / 2 | |
| 1.88.1 | 7 / 2 | |
| 1.88.0 | 7 / 2 | |
| 1.87.11 | 7 / 2 |
v1.96.7
3 findingsThis version was published by a different npm account than previous versions on 2026-06-03. This could indicate a legitimate maintainer transition or an account compromise.
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/Supernova-Studio/cloud/blob/18761b17a938e5adb831679fbec6a60975774bf4/src/utils/redirect-validation.ts#L29 27 | nonAscii2: "/path/with/emoji/😃", 28 | mixedEncodingPath: "/path/%41A%42B%C3%28", > 29 | directoryTraversal1: "/path/../../etc/passwd", 30 | directoryTraversal2: "/path/./././", 31 | };
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.96.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.95.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.95.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.95.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.95.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.95.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.94.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.94.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.93.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.92.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.91.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.90.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.89.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.88.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.88.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.88.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.87.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.