sails
API-driven framework for building realtime apps, using MVC conventions (based on Express and Socket.io)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:mikermcneil | AI (email-domain): mikermcneil is the original Sails.js creator (Mike McNeil); this is a long-standing maintainer identity. The domain finding is a persistent metadata artifact, not an active hijack risk for this well-established package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in sails CLI loads the locally-installed sails instance by path — standard 'prefer local version' pattern for CLI tools, not arbitrary module loading. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in sails-debug-console.js to spawn a node debug session — expected behavior for a debug console CLI command. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawns 'node --debug' with known arguments to launch Sails debug console — hardcoded, non-arbitrary, expected CLI behavior. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 1.5.18 | 43 / 19 | |
| 1.5.17 | 43 / 19 | |
| 1.5.16 | 44 / 19 | |
| 1.5.15 | 44 / 19 | |
| 1.5.14 | 44 / 19 | |
| 1.5.13 | 44 / 19 | |
| 1.5.12 | 44 / 19 | |
| 1.5.11 | 44 / 19 | |
| 1.5.10 | 44 / 19 | |
| 1.5.9 | 44 / 19 | |
| 1.5.8 | 44 / 19 | |
| 1.5.7 | 44 / 19 |
v1.5.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.17
2 findingsMaintainer email '@mikermcneil' uses domain 'mikermcneil' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.16
2 findingsMaintainer email '@mikermcneil' uses domain 'mikermcneil' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.15
2 findingsMaintainer email '@mikermcneil' uses domain 'mikermcneil' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.11
2 findingsMaintainer email '@mikermcneil' uses domain 'mikermcneil' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.