@wocker/ws
Docker workspace for web projects
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped Docker workspace CLI; not a typosquat of qs — name collision is coincidental. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Same reasoning; @wocker/ws is unrelated to pg. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Used in crypto key derivation (scrypt + salt); legitimate cryptographic pattern. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Used in AES-GCM decryption routine; standard crypto usage. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads a user-controlled keystore config file by path; expected plugin/config pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Docker workspace CLI legitimately shells out to run commands; expected usage. | ai | |
| phantom-deps | phantom-dep:dockerode | AI (phantom-deps): dockerode is declared in dependencies and used via @wocker/docker-module abstraction. | ai | |
| phantom-deps | phantom-dep:protobufjs | AI (phantom-deps): Transitive/indirect usage through gRPC-related dependencies; stable false positive. | ai | |
| phantom-deps | phantom-dep:docker-compose | AI (phantom-deps): docker-compose is a declared dep used via @wocker/docker-module; stable false positive. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 1.1.0 | 9 / 12 | |
| 1.0.32 | 14 / 15 | |
| 1.0.31 | 14 / 15 | |
| 1.0.30 | 14 / 15 | |
| 1.0.29 | 14 / 15 | |
| 1.0.28 | 14 / 15 | |
| 1.0.27 | 14 / 15 | |
| 1.0.26 | 13 / 14 | |
| 1.0.25 | 16 / 14 | |
| 1.0.24 | 15 / 14 | |
| 1.0.23 | 16 / 13 | |
| 1.0.22 | 16 / 14 |
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.32
2 findingsPackage name '@wocker/ws' is 1 edit(s) away from popular package 'qs'.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.