@terreno/api
Styled after the Django & Django REST Framework, a batteries-include framework for building REST APIs with Node/Express/Mongoose.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Large new files are test files (realtime.test.js/ts), not production code or injected payloads. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Fires only in a test file for injecting test env vars; not a runtime concern for this package. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package with clear identity; not impersonating joi. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped package with clear identity; not impersonating ajv. | ai | |
| phantom-deps | phantom-dep:scmp | AI (phantom-deps): scmp is a declared runtime dep used for timing-safe comparison; phantom-dep heuristic misfires here. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): @terreno/api is a scoped framework package unrelated to hapi; Levenshtein match is coincidental. | ai | |
| phantom-deps | phantom-dep:generaterr | AI (phantom-deps): Declared dep; phantom-dep heuristic fires on indirect usage patterns. | ai | |
| phantom-deps | phantom-dep:expo-server-sdk | AI (phantom-deps): Declared dep for push notifications; phantom-dep heuristic misfires on optional/conditional imports. | ai | |
| phantom-deps | phantom-dep:@sentry/profiling-node | AI (phantom-deps): Sentry profiling plugin; loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/qs | AI (phantom-deps): Type-only package; not directly imported by design. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package with clear identity; not impersonating pg. | ai |
Versions (showing 48 of 48)
| Version | Deps | Published |
|---|---|---|
| 0.17.0 | 38 / 25 | |
| 0.16.1 | 38 / 25 | |
| 0.16.0 | 38 / 25 | |
| 0.15.2 | 38 / 25 | |
| 0.15.1 | 37 / 24 | |
| 0.15.0 | 37 / 24 | |
| 0.14.2 | 37 / 24 | |
| 0.14.1 | 37 / 24 | |
| 0.14.0 | 37 / 24 | |
| 0.13.3 | 35 / 24 | |
| 0.13.2 | 35 / 24 | |
| 0.13.1 | 35 / 24 | |
| 0.13.0 | 35 / 24 | |
| 0.12.2 | 35 / 24 | |
| 0.12.1 | 35 / 24 | |
| 0.12.0 | 35 / 24 | |
| 0.11.9 | 35 / 24 | |
| 0.11.8 | 35 / 24 | |
| 0.11.7 | 35 / 24 | |
| 0.11.6 | 35 / 24 | |
| 0.11.5 | 35 / 24 | |
| 0.11.3 | 36 / 23 | |
| 0.11.2 | 36 / 23 | |
| 0.11.1 | 36 / 23 | |
| 0.11.0 | 36 / 23 | |
| 0.10.0 | 36 / 23 | |
| 0.9.3 | 36 / 23 | |
| 0.9.2 | 36 / 23 | |
| 0.9.1 | 36 / 23 | |
| 0.9.0 | 36 / 23 | |
| 0.8.3 | 36 / 23 | |
| 0.8.2 | 36 / 23 | |
| 0.8.1 | 36 / 23 | |
| 0.8.0 | 36 / 23 | |
| 0.7.2 | 36 / 23 | |
| 0.7.1 | 36 / 23 | |
| 0.7.0 | 29 / 23 | |
| 0.6.0 | 29 / 23 | |
| 0.4.2 | 29 / 23 | |
| 0.4.0 | 29 / 23 | |
| 0.2.0 | 29 / 23 | |
| 0.0.17 | 25 / 20 | |
| 0.0.16 | 25 / 20 | |
| 0.0.15 | 25 / 20 | |
| 0.0.13 | 25 / 20 | |
| 0.0.10 | 25 / 20 | |
| 0.0.3 | 25 / 20 | |
| 0.0.1 | 25 / 20 |
v0.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/6357e406ac64e5ea7e8c723fcfad719de5f5c50b/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/767d4158ef3b83153d8a6352ff1f9268db7a38ec/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/ac201ae15e753894ae4d88230debdd2d77c55dc7/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/aa0919502e50b9c4fb9093e549ccffcf9e69af00/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/e53b2c6251fd58ed3bb4df3efa7e39776155f7b7/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/fa5cd98d13fea11903a87f904c4754700e911580/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/b7261cf14d82303314859e9c0a48175bf5262d79/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.9
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/02aaec363974dbedab235a3b1dd7cdee20ecfed7/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.8
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/6b37b2460c9a81dbbeda7feee310e241256168b2/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.7
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/bc4bb236412d6f51a99a73e39038983d35ad629a/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.6
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/3bf7b5dc840dd0d9d31c8f8832c764f0b306e448/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.5
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/FlourishHealth/terreno/blob/47c4e6f2cca3b1d5f3c204c7a333b603f83fa29a/src/expressServer.test.ts#L592 590 | 591 | beforeEach(() => { > 592 | process.env = { 593 | ...process.env, 594 | REFRESH_TOKEN_SECRET: "test-refresh-secret",
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.