← Home

ace-code

npm Repository Homepage
1
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

nightwingandrewnester

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:dll-injection-apis AI (semgrep): Fires on AutoHotkey/AutoIt keyword string literals in a syntax-highlighting rules file; not executable code. ai
semgrep semgrep:etc-passwd-access AI (semgrep): Fires inside an EDIFACT editor snippet template string; not executed at runtime by the package. ai
npm-metadata url-dep:architect-build AI (npm-metadata): URL dep is in devDependencies only; not shipped to consumers and stable for this build toolchain. ai

Versions (showing 1 of 1)

Version Deps Published
1.44.0 0 / 9

v1.44.0

4 findings
HIGH dll-injection-apis: src/mode/autohotkey_highlight_rules.js:15 semgrep

DLL injection API detected — potential process injection attack Source: https://github.com/ajaxorg/ace/blob/214308079cf20dc23e84be7f4164f8459cf9a0a8/src/mode/autohotkey_highlight_rules.js#L15 13 | var autoItKeywords = 'And|ByRef|Case|Const|ContinueCase|ContinueLoop|Default|Dim|Do|Else|ElseIf|EndFunc|EndIf|EndSel 14 | 'Abs|ACos|AdlibDisable|AdlibEnable|Asc|AscW|ASin|Assign|ATan|AutoItSetOption|AutoItWinGetTitle|AutoItWinSetTitle > 15 | 'ArrayAdd|ArrayBinarySearch|ArrayConcatenate|ArrayDelete|ArrayDisplay|ArrayFindAll|ArrayInsert|ArrayMax|ArrayMax 16 | 'ce|comments-end|comments-start|cs|include|include-once|NoTrayIcon|RequireAdmin|' + 17 | 'AutoIt3Wrapper_Au3Check_Parameters|AutoIt3Wrapper_Au3Check_Stop_OnWarning|AutoIt3Wrapper_Change2CUI|AutoIt3Wrap

HIGH etc-passwd-access: src/snippets/edifact.snippets.js:143 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/ajaxorg/ace/blob/214308079cf20dc23e84be7f4164f8459cf9a0a8/src/snippets/edifact.snippets.js#L143 141 | */ 142 | snippet @au > 143 | @author \`system("grep \\\`id -un\\\` /etc/passwd | cut -d \\":\\" -f5 | cut -d \\",\\" -f1")\` 144 | snippet @br 145 | @brief \${1:Description}

HIGH etc-passwd-access: src/snippets/java.snippets.js:143 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/ajaxorg/ace/blob/214308079cf20dc23e84be7f4164f8459cf9a0a8/src/snippets/java.snippets.js#L143 141 | */ 142 | snippet @au > 143 | @author \`system("grep \\\`id -un\\\` /etc/passwd | cut -d \\":\\" -f5 | cut -d \\",\\" -f1")\` 144 | snippet @br 145 | @brief \${1:Description}

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.