steedos-server
华炎魔方最终运行的是源码在 [Creator](/creator) 文件夹内的一个Meteor项目,其最终打包编译生成的文件都在该文件夹内。
2
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
steedos-zhuangjianguosteedos-baozhoutaochenzhipeiyinlianghuisteedos-sunhaolin
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is inside bundled Meteor template engine (meteorhacks_ssr); stable pattern across all versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in momentjs locale loader; well-known pattern, stable across versions. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in underscore.js template engine; standard pattern, stable across versions. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Pre-built Meteor bundle; empty index.js and missing repo/keywords are structural, not spam indicators. | ai |
v2.7.32
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.31
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.