kxk — Greenflagged

kodi's tool kit

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

monsterkodi

Keywords

coffeescripttoolkit

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:js/test/test.js	AI (source-diff): File is CoffeeScript-compiled test code (koffee compiler output). Long lines are an artifact of compilation, not obfuscation. Content is benign mocha test suite.	ai	2026/04/24
phantom-deps	phantom-dep:mocha	AI (phantom-deps): mocha is declared in dependencies and used for testing; phantom-dep pattern is normal for test tooling.	ai	2026/04/24
phantom-deps	phantom-dep:chokidar	AI (phantom-deps): chokidar is declared in dependencies and referenced in config; legitimate build/watch tool pattern.	ai	2026/04/24
phantom-deps	phantom-dep:isbinaryfile	AI (phantom-deps): Toolkit package legitimately uses isbinaryfile; phantom-dep finding is false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:pretty-time	AI (phantom-deps): Toolkit package legitimately uses pretty-time; phantom-dep finding is false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:html-entities	AI (phantom-deps): Toolkit package legitimately uses html-entities; phantom-dep finding is false positive for this package type.	ai	2026/04/24
phantom-deps	phantom-dep:textextensions	AI (phantom-deps): Toolkit package legitimately uses textextensions; phantom-dep finding is false positive for this package type.	ai	2026/04/24
npm-metadata	url-dep:source-map	AI (npm-metadata): The source-map URL dep points to the publisher's own GitHub fork (monsterkodi/source-map), consistent with intentional customization. Same author as the package; stable pattern across versions.	ai	2026/04/24
typosquat	typosquat.levenshtein:koa	AI (typosquat): kxk is the author's personal toolkit (monsterkodi), not a typosquat of koa. 293 versions and 3319 days of history confirm legitimacy.	ai	2026/04/24
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is used to parse inline source map data URIs — a standard, well-understood pattern with no malicious payload risk.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): kxk is a general-purpose toolkit; child_process use is expected and legitimate for its stated functionality.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads a resolved package.json path for metadata reading — standard pattern, not arbitrary module loading.	ai	2026/04/23

Versions (showing 93 of 293)

Version	Deps	Published
0.46.0	14 / 2	2018-03-17
0.45.0	14 / 2	2018-03-17
0.44.0	14 / 2	2018-03-17
0.43.0	14 / 2	2018-03-17
0.42.2	14 / 2	2018-03-16
0.42.1	14 / 2	2018-03-16
0.42.0	14 / 2	2018-03-15
0.41.0	14 / 2	2018-03-14
0.40.1	14 / 2	2018-03-13
0.40.0	14 / 2	2018-03-12
0.39.1	13 / 3	2018-03-11
0.39.0	13 / 3	2018-03-10
0.38.0	13 / 3	2018-03-10
0.37.2	13 / 3	2018-03-09
0.37.0	13 / 3	2018-03-09
0.36.0	13 / 3	2018-03-08
0.35.0	13 / 3	2018-03-07
0.34.0	13 / 3	2018-03-04
0.33.0	11 / 3	2018-03-04
0.31.0	10 / 3	2018-03-03
0.30.0	10 / 3	2018-03-03
0.28.0	10 / 3	2018-02-28
0.27.0	10 / 3	2018-02-28
0.25.0	10 / 3	2018-02-25
0.23.2	11 / 3	2018-02-25
0.23.0	11 / 3	2018-02-25
0.20.0	11 / 3	2018-02-23
0.19.7	11 / 3	2018-02-22
0.19.5	11 / 3	2017-11-17
0.19.3	11 / 3	2017-11-16
0.19.2	11 / 3	2017-11-15
0.19.1	11 / 3	2017-10-30
0.19.0	11 / 3	2017-10-24
0.18.1	11 / 3	2017-10-23
0.18.0	11 / 3	2017-10-22
0.17.8	11 / 3	2017-10-12
0.17.7	11 / 3	2017-10-10
0.17.6	11 / 3	2017-10-07
0.17.5	11 / 3	2017-10-07
0.17.4	11 / 3	2017-09-30
0.17.3	11 / 3	2017-09-30
0.17.2	11 / 3	2017-09-30
0.17.1	11 / 3	2017-09-25
0.17.0	11 / 3	2017-09-25
0.16.13	11 / 3	2017-09-25
0.16.12	11 / 3	2017-09-05
0.16.11	11 / 3	2017-09-05
0.16.10	11 / 3	2017-09-05
0.16.9	11 / 3	2017-09-05
0.16.8	11 / 3	2017-09-05
0.16.7	11 / 3	2017-08-30
0.16.6	11 / 3	2017-08-28
0.16.5	11 / 3	2017-08-28
0.16.4	11 / 3	2017-08-27
0.16.3	11 / 3	2017-05-13
0.16.2	11 / 3	2017-05-10
0.16.1	11 / 3	2017-05-08
0.16.0	11 / 3	2017-05-05
0.15.3	11 / 3	2017-05-03
0.15.2	11 / 3	2017-05-02
0.15.1	11 / 3	2017-04-26
0.15.0	11 / 3	2017-04-25
0.14.0	11 / 3	2017-04-23
0.13.1	11 / 3	2017-04-22
0.13.0	11 / 3	2017-04-18
0.11.3	11 / 3	2017-04-17
0.11.1	11 / 3	2017-04-17
0.11.0	11 / 3	2017-04-16
0.10.2	10 / 3	2017-04-14
0.10.1	10 / 3	2017-04-14
0.10.0	9 / 3	2017-04-13
0.9.0	9 / 3	2017-04-11
0.8.1	8 / 3	2017-04-11
0.8.0	7 / 3	2017-04-09
0.7.1	7 / 3	2017-04-08
0.7.0	7 / 3	2017-04-08
0.6.0	7 / 3	2017-04-01
0.5.6	7 / 0	2017-04-01
0.5.5	7 / 0	2017-04-01
0.5.4	7 / 0	2017-03-29
0.5.3	7 / 0	2017-03-28
0.5.2	7 / 0	2017-03-28
0.4.3	7 / 0	2017-03-27
0.4.1	7 / 0	2017-03-27
0.3.1	6 / 0	2017-03-24
0.2.6	6 / 0	2017-03-23
0.2.5	6 / 0	2017-03-23
0.2.4	6 / 0	2017-03-23
0.2.3	6 / 0	2017-03-23
0.2.2	6 / 0	2017-03-23
0.2.1	6 / 0	2017-03-23
0.1.2	1 / 0	2017-03-23
0.1.1	1 / 0	2017-03-22