@zintrust/core
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decode used for AES-256-GCM IV and auth tag parsing — legitimate crypto pattern. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall is a no-op process.exit(0); stable false positive for this package. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Detached spawn in VersionChecker is a self-restart pattern for CLI version upgrades, not a reverse shell. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same VersionChecker self-restart context; benign for this package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get inside a Proxy get trap is idiomatic JS; not obfuscation. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding JWT/auth token bodies in ServiceAuthMiddleware is standard auth middleware practice. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package @zintrust/core is a framework, not a typosquat of cors; name collision is coincidental. | ai | |
| phantom-deps | phantom-dep:@zintrust/workers | AI (phantom-deps): Same-org sibling package loaded by framework convention. | ai | |
| phantom-deps | phantom-dep:@cloudflare/containers | AI (phantom-deps): Framework-scoped Cloudflare package loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:bullmq | AI (phantom-deps): bullmq is a declared dependency used via config/convention in this framework. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread passes process.env to a child process spawn — standard CLI framework pattern, not exfiltration. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw-IP references are localhost (127.0.0.1) log messages, not external network calls. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reads process.env to build worker dev-vars config file — expected framework behavior. | ai |
Versions (showing 28 of 229)
| Version | Deps | Published |
|---|---|---|
| 0.1.29 | 5 / 0 | |
| 0.1.28 | 5 / 31 | |
| 0.1.27 | 5 / 0 | |
| 0.1.26 | 5 / 0 | |
| 0.1.25 | 5 / 0 | |
| 0.1.24 | 5 / 0 | |
| 0.1.23 | 5 / 0 | |
| 0.1.20 | 5 / 0 | |
| 0.1.19 | 5 / 0 | |
| 0.1.18 | 5 / 0 | |
| 0.1.17 | 5 / 0 | |
| 0.1.16 | 5 / 0 | |
| 0.1.15 | 5 / 0 | |
| 0.1.14 | 5 / 0 | |
| 0.1.13 | 5 / 0 | |
| 0.1.12 | 5 / 0 | |
| 0.1.11 | 5 / 0 | |
| 0.1.10 | 5 / 0 | |
| 0.1.9 | 5 / 0 | |
| 0.1.8 | 6 / 0 | |
| 0.1.7 | 6 / 0 | |
| 0.1.6 | 6 / 0 | |
| 0.1.5 | 7 / 0 | |
| 0.1.4 | 7 / 0 | |
| 0.1.3 | 7 / 0 | |
| 0.1.2 | 0 / 0 | |
| 0.1.1 | 0 / 0 | |
| 0.1.0 | 7 / 19 |
v0.1.29
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.28
3 findingsScript: node -e "process.exit(0)"
Package name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.27
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.26
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.25
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.24
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.23
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.20
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.19
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.18
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.17
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.16
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.15
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.14
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.13
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.12
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.11
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.10
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.9
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.8
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.7
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.4
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
2 findingsPackage name '@zintrust/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.