@yamf/core
A lightweight, zero-dependency microservices framework for Node.js with built-in service discovery, api gateway, pub/sub messaging, HTTP routing, and load balancing.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:eval-usage | AI (semgrep): Self-flagged in a TODO comment as a known risk in a CLI shorthand parser; not in install path. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Framework with child-process utilities; expected for a microservices orchestration tool. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding used for deploy bundle signature verification, a legitimate cryptographic use case. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @yamf/core is a scoped microservices framework package, not a typosquat of cors. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): env-config.js is an explicit environment configuration loader; bulk process.env read is its documented purpose. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is part of AES-256-GCM IV/authTag handling in the crypto module — standard cryptographic pattern. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IPs are localhost/127.0.0.1 references in service-discovery registry diagnostic comments, not exfiltration endpoints. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.9.0 | 0 / 5 | |
| 0.8.1 | 0 / 5 | |
| 0.4.1 | 0 / 4 | |
| 0.4.0 | 0 / 4 | |
| 0.3.4 | 0 / 2 | |
| 0.3.2 | 0 / 2 | |
| 0.3.1 | 0 / 2 | |
| 0.3.0 | 0 / 3 |
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
2 findingsPackage name '@yamf/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
2 findingsPackage name '@yamf/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
2 findingsPackage name '@yamf/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
2 findingsPackage name '@yamf/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
2 findingsPackage name '@yamf/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
2 findingsPackage name '@yamf/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.