@codesandbox/sandpack-client
<img style="width:100%" src="https://user-images.githubusercontent.com/4838076/143581035-ebee5ba2-9cb1-4fe8-a05b-2f44bd69bb4b.gif" alt="Component toolkit for live running code editing experiences" />
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Fires on a JSDoc example string in BrowserFS virtual FS library, not real credential access. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Fires in bundled Prettier parser minified output; standard build artifact for this package. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 2.19.8 | 6 / 5 |
v2.19.8
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/codesandbox/sandpack/blob/83a494906a61517ea597ae94b26e1972f0c67777/sandpack/static/browserfs11/node/core/FS.js#L235 233 | * Then call the callback argument with either true or false. 234 | * @example Sample invocation > 235 | * fs.exists('/etc/passwd', function (exists) { 236 | * util.debug(exists ? "it's there" : "no passwd!"); 237 | * });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/codesandbox/sandpack/blob/83a494906a61517ea597ae94b26e1972f0c67777/sandpack/static/browserfs12/node/core/FS.js#L235 233 | * Then call the callback argument with either true or false. 234 | * @example Sample invocation > 235 | * fs.exists('/etc/passwd', function (exists) { 236 | * util.debug(exists ? "it's there" : "no passwd!"); 237 | * });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.