← Home

@things-factory/shell

npm Repository
5
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

woo_ramjyp220heartyohhorwengliang95nalshya113shortstopyoungwookwengliang95

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:hex-decode AI (semgrep): Hex decode is part of AES-CBC decryption using Node crypto; legitimate encryption utility. ai
phantom-deps phantom-dep:oracledb AI (phantom-deps): Optional DB driver; same pattern as pg. ai
phantom-deps phantom-dep:husky AI (phantom-deps): Dev tooling dep; not imported at runtime. ai
phantom-deps phantom-dep:nodemon AI (phantom-deps): Dev tooling dep; not imported at runtime. ai
phantom-deps phantom-dep:@things-factory/styles AI (phantom-deps): Same-org dep used via CSS/config, not JS import — stable false positive. ai
phantom-deps phantom-dep:pg AI (phantom-deps): Optional DB driver declared in optionalDependencies; not directly imported by design. ai
phantom-deps phantom-dep:sqlite3 AI (phantom-deps): Optional DB driver; same pattern as pg. ai
phantom-deps phantom-dep:mssql AI (phantom-deps): Optional DB driver; same pattern as pg. ai
phantom-deps phantom-dep:mysql2 AI (phantom-deps): Optional DB driver; same pattern as pg. ai
phantom-deps phantom-dep:better-sqlite3 AI (phantom-deps): Optional DB driver; same pattern as pg. ai
phantom-deps phantom-dep:sass AI (phantom-deps): Build/config-only dep for this framework shell package. ai
provenance no-provenance AI (provenance): Long-established package; lack of provenance is consistent across all 1389 versions. ai
semgrep semgrep:dynamic-require AI (semgrep): Loads ormconfig from appRootPath — intentional plugin/config pattern for this framework shell. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): 127.0.0.1 is localhost dev-server render host; not exfiltration. ai

Versions (showing 5 of 5)

Version Deps Published
9.1.19 90 / 0
8.0.63 93 / 0
6.4.8 91 / 0
4.3.815 93 / 0
4.3.695 93 / 0

v9.1.19

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v8.0.63

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v6.4.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.815

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.3.695

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.