← Home

ibm-cos-sdk

npm Repository Homepage
3
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

cos-sdk

Keywords

apis3iam

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:credential-dir-access AI (semgrep): IBM COS SDK legitimately reads ~/.aws/credentials for AWS-compatible credential loading; stable pattern across all versions. ai
phantom-deps phantom-dep:xmlbuilder AI (phantom-deps): xmlbuilder is declared as a runtime dependency and used transitively via xml2js/AWS SDK internals; phantom-dep heuristic fires but it is a legitimate dependency. ai

Versions (showing 3 of 3)

Version Deps Published
1.15.1 7 / 15
1.15.0 7 / 15
1.14.2 7 / 15

v1.15.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.15.0

6 findings
HIGH credential-dir-access: lib/credentials/shared_ini_file_credentials.js:45 semgrep

Accessing credential directories suggests credential harvesting 43 | * @option options profile [String] (AWS_PROFILE env var or 'default') 44 | * the name of the profile to load. > 45 | * @option options filename [String] ('~/.aws/credentials' or defined by 46 | * AWS_SHARED_CREDENTIALS_FILE process env var) 47 | * the filename to use when loading credentials.

HIGH credential-dir-access: lib/credentials/shared_json_file_credentials.js:34 semgrep

Accessing credential directories suggests credential harvesting 32 | * @option options profile [String] (AWS_PROFILE env var or 'default') 33 | * the name of the profile to load. > 34 | * @option options filename [String] ('~/.aws/credentials') the filename 35 | * to use when loading credentials. 36 | * @option options disableAssumeRole [Boolean] (false) True to disable

HIGH credential-dir-access: lib/shared-ini/ini-loader.js:59 semgrep

Accessing credential directories suggests credential harvesting 57 | * 58 | * @param options [map] information describing the file > 59 | * @option options filename [String] ('~/.aws/credentials' or defined by 60 | * AWS_SHARED_CREDENTIALS_FILE process env var or '~/.aws/config' if 61 | * isConfig is set to true)

HIGH credential-dir-access: lib/shared-ini/ini-loader.js:60 semgrep

Accessing credential directories suggests credential harvesting 58 | * @param options [map] information describing the file 59 | * @option options filename [String] ('~/.aws/credentials' or defined by > 60 | * AWS_SHARED_CREDENTIALS_FILE process env var or '~/.aws/config' if 61 | * isConfig is set to true) 62 | * path to the file to be read.

HIGH credential-dir-access: lib/shared-ini/ini-loader.js:89 semgrep

Accessing credential directories suggests credential harvesting 87 | * 88 | * @param options [map] information describing the file > 89 | * @option options filename [String] ('~/.aws/config' or defined by 90 | * AWS_CONFIG_FILE process env var) 91 | * @return [map<String,String>] object containing contents from file in key-value

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.14.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.