tldts-tests
tests for different tldts implementations
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Fires on test assertions verifying file:///etc/passwd returns null — not credential access. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Test utility package in a monorepo; minimal README and no keywords are expected for this type of package. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP appears only in test fixture strings passed to tldts.parse(), not in any network request. | ai | |
| phantom-deps | phantom-dep:@types/chai | AI (phantom-deps): @types packages are loaded by convention via TypeScript, not direct imports. | ai | |
| phantom-deps | phantom-dep:@types/mocha | AI (phantom-deps): @types packages are loaded by convention via TypeScript, not direct imports. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 7.4.7 | 4 / 5 | |
| 7.4.6 | 4 / 5 | |
| 7.4.5 | 4 / 5 | |
| 7.4.4 | 4 / 5 | |
| 7.4.3 | 4 / 5 | |
| 7.4.2 | 4 / 5 | |
| 7.4.1 | 4 / 5 | |
| 7.4.0 | 4 / 5 | |
| 7.3.1 | 4 / 5 | |
| 7.3.0 | 4 / 5 | |
| 7.2.1 | 4 / 5 | |
| 7.2.0 | 4 / 5 | |
| 7.1.2 | 4 / 5 | |
| 7.1.1 | 4 / 5 | |
| 7.1.0 | 4 / 5 | |
| 7.0.32 | 4 / 5 | |
| 7.0.31 | 4 / 5 | |
| 7.0.29 | 4 / 5 | |
| 7.0.28 | 4 / 5 | |
| 7.0.26 | 4 / 5 | |
| 7.0.24 | 4 / 5 | |
| 7.0.23 | 4 / 5 | |
| 7.0.22 | 4 / 5 | |
| 7.0.20 | 4 / 5 | |
| 7.0.11 | 4 / 4 |
v7.4.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.0
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/7ff853aa1c08d904fa633530b45310c49f706dc3/src/tldts-tests.ts#L1671 1669 | it('returns null for file:/// (empty authority)', () => { 1670 | // WHATWG file-host state: an empty buffer means an empty host. > 1671 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1672 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1673 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/7ff853aa1c08d904fa633530b45310c49f706dc3/src/tldts-tests.ts#L1672 1670 | // WHATWG file-host state: an empty buffer means an empty host. 1671 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1672 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1673 | }); 1674 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.1
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/265cece548612cd5c3af340a5f404bff178bfc42/src/tldts-tests.ts#L1542 1540 | it('returns null for file:/// (empty authority)', () => { 1541 | // WHATWG file-host state: an empty buffer means an empty host. > 1542 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1543 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1544 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/265cece548612cd5c3af340a5f404bff178bfc42/src/tldts-tests.ts#L1543 1541 | // WHATWG file-host state: an empty buffer means an empty host. 1542 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1543 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1544 | }); 1545 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.0
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/dd9b9303abe3f72eb016af337ae5cd2d818611f9/src/tldts-tests.ts#L1523 1521 | it('returns null for file:/// (empty authority)', () => { 1522 | // WHATWG file-host state: an empty buffer means an empty host. > 1523 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1524 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1525 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/dd9b9303abe3f72eb016af337ae5cd2d818611f9/src/tldts-tests.ts#L1524 1522 | // WHATWG file-host state: an empty buffer means an empty host. 1523 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1524 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1525 | }); 1526 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.1
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/89c8a3de96c84f17d8dca27fbd6567c2eb6b9bf6/src/tldts-tests.ts#L1265 1263 | it('returns null for file:/// (empty authority)', () => { 1264 | // WHATWG file-host state: an empty buffer means an empty host. > 1265 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1266 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1267 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/89c8a3de96c84f17d8dca27fbd6567c2eb6b9bf6/src/tldts-tests.ts#L1266 1264 | // WHATWG file-host state: an empty buffer means an empty host. 1265 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1266 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1267 | }); 1268 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.1
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/54cf9e31f5632d60e766684108ba50c6ddf60b61/src/tldts-tests.ts#L1165 1163 | it('returns null for file:/// (empty authority)', () => { 1164 | // WHATWG file-host state: an empty buffer means an empty host. > 1165 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1166 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1167 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/54cf9e31f5632d60e766684108ba50c6ddf60b61/src/tldts-tests.ts#L1166 1164 | // WHATWG file-host state: an empty buffer means an empty host. 1165 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1166 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1167 | }); 1168 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.