@zenuml/core
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @zenuml/core is a scoped package for a sequence diagram library, not a typosquat of cors. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread is in a dev-only snapshot script, not in published library code. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in .kiro/hooks dev tooling (IDE sound notification), not in published library code. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 (localhost) in playwright.config.ts for local test server — not a network exfiltration risk. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode is used to process screenshot image data in a dev analysis script, not to hide payloads. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Bundled library; deps consumed via dist build rather than direct imports detectable by static analysis. | ai | |
| phantom-deps | phantom-dep:antlr4 | AI (phantom-deps): Bundled library pattern; antlr4 is used in generated parser code bundled into dist. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Bundled library pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:pako | AI (phantom-deps): Bundled library pattern; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): Used via postcss config and bundled build; stable false positive for this package. | ai |
v3.47.9
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/e3f93e0eb65d23fa3520e8691a5bca883853aa4b/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.6
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/55fd4f771ef9ac62ae185192d916eb9b6073ba1d/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.47.2
3 findingsPackage name '@zenuml/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/mermaid-js/zenuml-core/blob/d00800a1a5f3d18bdd78f69dc01600a75bf1d4c0/scripts/snapshot-dual.js#L53 51 | 52 | function runPlaywright(mode) { > 53 | const env = { ...process.env, VERTICAL_MODE: mode }; 54 | const args = ["playwright", "test", "--update-snapshots", ...testsArg]; 55 | const result = spawnSync("npx", args, {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.