accord
A unified interface for compiled languages and templates in JavaScript
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:when | AI (phantom-deps): Old package (v0.0.2, 4520 days); phantom dep pattern reflects indirect usage in config/build files, not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:colors | AI (phantom-deps): Same as above — declared dep used indirectly in config files, benign for this established package. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): Same as above — declared dep used indirectly in config files, benign for this established package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): accord's core design dynamically loads template engine adapters by user-specified path. This is intentional and documented behavior, not a supply-chain risk. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in eco/1.x.js evaluates compiled Eco template output — this is how the Eco template engine works and is expected behavior for this adapter. | ai | |
| phantom-deps | phantom-dep:lodash.uniq | AI (phantom-deps): lodash.uniq is properly declared in package.json dependencies; the phantom-dep finding is a false positive likely due to indirect usage patterns. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 0.30.0 | 13 / 44 | |
| 0.29.0 | 14 / 43 | |
| 0.28.0 | 14 / 43 | |
| 0.27.3 | 14 / 43 | |
| 0.27.1 | 14 / 43 | |
| 0.26.4 | 14 / 42 | |
| 0.26.3 | 14 / 42 | |
| 0.22.2 | 9 / 41 | |
| 0.20.1 | 9 / 38 | |
| 0.20.0 | 9 / 38 | |
| 0.0.2 | 4 / 12 |
v0.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.27.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.2
2 findingsMaintainer email '[email protected]' uses domain 'jenius.me' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.1
2 findingsMaintainer email '[email protected]' uses domain 'jenius.me' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.20.0
2 findingsMaintainer email '[email protected]' uses domain 'jenius.me' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.2
2 findingsMaintainer email '[email protected]' uses domain 'jenius.me' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.