kxk
kodi's tool kit
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:js/test/test.js | AI (source-diff): File is CoffeeScript-compiled test code (koffee compiler output). Long lines are an artifact of compilation, not obfuscation. Content is benign mocha test suite. | ai | |
| phantom-deps | phantom-dep:mocha | AI (phantom-deps): mocha is declared in dependencies and used for testing; phantom-dep pattern is normal for test tooling. | ai | |
| phantom-deps | phantom-dep:chokidar | AI (phantom-deps): chokidar is declared in dependencies and referenced in config; legitimate build/watch tool pattern. | ai | |
| phantom-deps | phantom-dep:isbinaryfile | AI (phantom-deps): Toolkit package legitimately uses isbinaryfile; phantom-dep finding is false positive for this package type. | ai | |
| phantom-deps | phantom-dep:pretty-time | AI (phantom-deps): Toolkit package legitimately uses pretty-time; phantom-dep finding is false positive for this package type. | ai | |
| phantom-deps | phantom-dep:html-entities | AI (phantom-deps): Toolkit package legitimately uses html-entities; phantom-dep finding is false positive for this package type. | ai | |
| phantom-deps | phantom-dep:textextensions | AI (phantom-deps): Toolkit package legitimately uses textextensions; phantom-dep finding is false positive for this package type. | ai | |
| npm-metadata | url-dep:source-map | AI (npm-metadata): The source-map URL dep points to the publisher's own GitHub fork (monsterkodi/source-map), consistent with intentional customization. Same author as the package; stable pattern across versions. | ai | |
| typosquat | typosquat.levenshtein:koa | AI (typosquat): kxk is the author's personal toolkit (monsterkodi), not a typosquat of koa. 293 versions and 3319 days of history confirm legitimacy. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is used to parse inline source map data URIs — a standard, well-understood pattern with no malicious payload risk. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): kxk is a general-purpose toolkit; child_process use is expected and legitimate for its stated functionality. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads a resolved package.json path for metadata reading — standard pattern, not arbitrary module loading. | ai |
Versions (showing 51 of 293)
| Version | Deps | Published |
|---|---|---|
| 0.424.0 | 17 / 3 | |
| 0.423.0 | 17 / 3 | |
| 0.422.0 | 17 / 3 | |
| 0.421.0 | 17 / 3 | |
| 0.420.0 | 17 / 3 | |
| 0.419.0 | 17 / 3 | |
| 0.418.0 | 17 / 3 | |
| 0.417.0 | 17 / 3 | |
| 0.415.0 | 17 / 3 | |
| 0.414.0 | 17 / 3 | |
| 0.413.0 | 17 / 3 | |
| 0.412.0 | 17 / 3 | |
| 0.408.0 | 17 / 3 | |
| 0.407.0 | 17 / 3 | |
| 0.406.0 | 17 / 3 | |
| 0.404.0 | 17 / 3 | |
| 0.403.0 | 17 / 3 | |
| 0.402.0 | 17 / 3 | |
| 0.401.0 | 17 / 3 | |
| 0.400.0 | 17 / 3 | |
| 0.399.0 | 17 / 3 | |
| 0.397.0 | 17 / 3 | |
| 0.396.0 | 17 / 3 | |
| 0.394.0 | 17 / 3 | |
| 0.393.0 | 17 / 3 | |
| 0.391.0 | 20 / 3 | |
| 0.389.0 | 20 / 3 | |
| 0.387.0 | 20 / 3 | |
| 0.386.0 | 20 / 3 | |
| 0.385.0 | 20 / 3 | |
| 0.384.0 | 20 / 3 | |
| 0.383.0 | 20 / 3 | |
| 0.382.0 | 20 / 3 | |
| 0.381.0 | 20 / 3 | |
| 0.380.0 | 20 / 3 | |
| 0.378.0 | 22 / 3 | |
| 0.377.0 | 22 / 3 | |
| 0.376.0 | 22 / 3 | |
| 0.375.0 | 22 / 3 | |
| 0.374.0 | 22 / 3 | |
| 0.372.0 | 22 / 3 | |
| 0.371.0 | 22 / 3 | |
| 0.370.0 | 22 / 3 | |
| 0.369.0 | 22 / 3 | |
| 0.368.0 | 22 / 3 | |
| 0.367.0 | 22 / 3 | |
| 0.366.0 | 24 / 3 | |
| 0.365.0 | 24 / 3 | |
| 0.364.0 | 24 / 3 | |
| 0.363.0 | 24 / 3 | |
| 0.362.0 | 24 / 3 |
v0.424.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.423.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.422.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.421.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.420.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.419.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.418.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.417.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.415.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.414.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.413.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.412.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.408.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.407.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.406.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.404.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.403.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.402.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.401.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.400.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.399.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.397.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.396.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.394.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.393.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.391.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.389.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.387.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.386.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.385.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.384.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.383.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.382.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.381.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.380.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.378.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.377.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.376.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.375.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.374.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.372.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.371.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.370.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.369.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.368.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.367.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.366.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.365.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.364.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.363.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.362.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.