← Home

cos-js-sdk-v5

npm Repository Homepage

JavaScript SDK for [腾讯云对象存储](https://cloud.tencent.com/product/cos)

2
Versions
ISC
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

galenyipyinshawnraocarsonxutianfengwonderswang

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
install-scripts install-script:postinstall AI (install-scripts): Postinstall runs patch-check.js to verify patch-package patches; this is a documented, legitimate pattern for this SDK. Consistent across versions. ai
semgrep semgrep:child-process-import AI (semgrep): child_process use in scripts/patch-check.js is for patch-package verification, not arbitrary code execution. Benign for this package. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): The flagged IP (127.0.0.1) is in a commented-out line in a demo file — a localhost placeholder in example code, not a real network request. Stable false positive for this package. ai
provenance no-provenance AI (provenance): Established Tencent Cloud SDK with 3272-day history and official GitHub org. Lack of Sigstore provenance is expected for packages of this age. ai

Versions (showing 2 of 2)

Version Deps Published
1.10.1 1 / 17
0.5.27 1 / 8

v1.10.1

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/patch-check.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.27

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.