@pipeline-builder/api-server
Express server infrastructure for Pipeline Builder: app factory, middleware (CORS, Helmet, rate limiting, idempotency, ETag), request context, route wrappers, health-check helpers, and SSE support.
12
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mwashburn160
Keywords
ci-cdcicdcontinuous-deliverydevopsself-serviceplatform-engineeringinternal-developer-platformdeveloper-platformawsaws-cdkcdkcodepipelinecodebuildcloudformationpipelinepipeline-as-codeinfrastructure-as-codeiaccompliancepolicy-as-codegovernancegolden-pathsmulti-tenantrbacaiai-pipeline-generationllmbedrockpluginsplugin-marketplacecontainerizeddockerkubernetestypescriptcli
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/otel-bootstrap.js | AI (source-diff): OTel bootstrap preload file; long lines are compiled SDK output, not malicious obfuscation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New OTel deps match the documented tracing bootstrap feature added in this version. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/instrumentation | AI (phantom-deps): Used transitively by OTel SDK; phantom-dep false positive for this package. | ai | |
| source-diff | obfuscated-file:lib/api/mongo-connect.js | AI (source-diff): Long line is an inline base64 source map, not obfuscation; pattern is stable for compiled TS output in this package. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/auto-instrumentations-node | AI (phantom-deps): OpenTelemetry auto-instrumentation is designed to be loaded via --require flags at runtime, not directly imported in source. This phantom-dep finding is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:jsonwebtoken | AI (phantom-deps): jsonwebtoken is declared as a runtime dependency and referenced in config; may be used indirectly or via dynamic require. Consistent with the package's JWT-related functionality. | ai |
Versions (showing 12 of 112)
| Version | Deps | Published |
|---|---|---|
| 3.2.5 | 18 / 18 | |
| 3.2.4 | 18 / 18 | |
| 3.2.3 | 18 / 18 | |
| 3.2.2 | 18 / 18 | |
| 3.2.1 | 18 / 18 | |
| 3.2.0 | 16 / 18 | |
| 3.1.5 | 16 / 18 | |
| 3.1.4 | 16 / 18 | |
| 3.1.3 | 16 / 18 | |
| 3.1.2 | 16 / 18 | |
| 3.1.1 | 16 / 18 | |
| 3.1.0 | 16 / 18 |
v3.2.5
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.2.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.