riteway
Unit tests that always supply a good bug report when they fail.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:dotignore | AI (phantom-deps): Config-referenced build utility; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): Config-referenced build utility; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:resolve | AI (phantom-deps): Config-referenced build utility; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:minimist | AI (phantom-deps): Config-referenced build utility; stable pattern for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Fires in dev-only release.js script; not shipped as runtime code. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Appears in test file testing path traversal protection, not credential harvesting. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() with no args creates a harmless noop; stable false positive for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established 9-year-old testing library; tea.yaml and missing keywords are cosmetic issues. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 9.3.0 | 13 / 11 | |
| 9.2.0 | 13 / 11 | |
| 9.1.0 | 13 / 11 | |
| 9.0.0 | 9 / 12 |
v9.3.0
6 findingsMatched 2 signal(s), weighted score 8: • [S_TEA_YAML] Package ships tea.yaml / tea.yml — marker used by tea.xyz token-farming packages. • [S_NO_KEYWORDS] No keywords declared.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ericelliott/riteway/blob/303db2c672dc513fe9af8e434b3f859374178837/release.js#L92 90 | execSync(`npx release-it ${semverType} --ci`, { 91 | stdio: "inherit", > 92 | env: { ...process.env }, 93 | }); 94 | console.log("🎉 Release completed successfully!");
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/ericelliott/riteway/blob/303db2c672dc513fe9af8e434b3f859374178837/source/ai-command.test.js#L443 441 | const cwd = process.cwd(); 442 | const error = await Try(runAICommand, { > 443 | patterns: ['../../../etc/passwd'], 444 | runs: 4, 445 | threshold: 75,
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/ericelliott/riteway/blob/303db2c672dc513fe9af8e434b3f859374178837/source/validation.test.js#L38 36 | const baseDir = '/home/user/project'; 37 | > 38 | const error = Try(validateFilePath, '../../etc/passwd', baseDir); 39 | 40 | const invoked = [];
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/ericelliott/riteway/blob/303db2c672dc513fe9af8e434b3f859374178837/source/validation.test.js#L61 59 | const baseDir = '/home/user/project'; 60 | > 61 | const error = Try(validateFilePath, '/etc/passwd', baseDir); 62 | 63 | const invoked = [];
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.