tldts-tests
tests for different tldts implementations
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Fires on test assertions verifying file:///etc/passwd returns null — not credential access. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Test utility package in a monorepo; minimal README and no keywords are expected for this type of package. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP appears only in test fixture strings passed to tldts.parse(), not in any network request. | ai | |
| phantom-deps | phantom-dep:@types/chai | AI (phantom-deps): @types packages are loaded by convention via TypeScript, not direct imports. | ai | |
| phantom-deps | phantom-dep:@types/mocha | AI (phantom-deps): @types packages are loaded by convention via TypeScript, not direct imports. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 7.4.1 | 4 / 5 | |
| 7.4.0 | 4 / 5 | |
| 7.3.1 | 4 / 5 | |
| 7.3.0 | 4 / 5 | |
| 7.2.1 | 4 / 5 | |
| 7.2.0 | 4 / 5 | |
| 7.1.2 | 4 / 5 | |
| 7.1.1 | 4 / 5 | |
| 7.1.0 | 4 / 5 | |
| 7.0.32 | 4 / 5 | |
| 7.0.31 | 4 / 5 | |
| 7.0.29 | 4 / 5 | |
| 7.0.28 | 4 / 5 | |
| 7.0.26 | 4 / 5 | |
| 7.0.24 | 4 / 5 | |
| 7.0.23 | 4 / 5 | |
| 7.0.22 | 4 / 5 | |
| 7.0.20 | 4 / 5 | |
| 7.0.11 | 4 / 4 |
v7.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.0
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/7ff853aa1c08d904fa633530b45310c49f706dc3/src/tldts-tests.ts#L1671 1669 | it('returns null for file:/// (empty authority)', () => { 1670 | // WHATWG file-host state: an empty buffer means an empty host. > 1671 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1672 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1673 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/7ff853aa1c08d904fa633530b45310c49f706dc3/src/tldts-tests.ts#L1672 1670 | // WHATWG file-host state: an empty buffer means an empty host. 1671 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1672 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1673 | }); 1674 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.1
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/265cece548612cd5c3af340a5f404bff178bfc42/src/tldts-tests.ts#L1542 1540 | it('returns null for file:/// (empty authority)', () => { 1541 | // WHATWG file-host state: an empty buffer means an empty host. > 1542 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1543 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1544 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/265cece548612cd5c3af340a5f404bff178bfc42/src/tldts-tests.ts#L1543 1541 | // WHATWG file-host state: an empty buffer means an empty host. 1542 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1543 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1544 | }); 1545 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.0
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/dd9b9303abe3f72eb016af337ae5cd2d818611f9/src/tldts-tests.ts#L1523 1521 | it('returns null for file:/// (empty authority)', () => { 1522 | // WHATWG file-host state: an empty buffer means an empty host. > 1523 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1524 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1525 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/dd9b9303abe3f72eb016af337ae5cd2d818611f9/src/tldts-tests.ts#L1524 1522 | // WHATWG file-host state: an empty buffer means an empty host. 1523 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1524 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1525 | }); 1526 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.1
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/89c8a3de96c84f17d8dca27fbd6567c2eb6b9bf6/src/tldts-tests.ts#L1265 1263 | it('returns null for file:/// (empty authority)', () => { 1264 | // WHATWG file-host state: an empty buffer means an empty host. > 1265 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1266 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1267 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/89c8a3de96c84f17d8dca27fbd6567c2eb6b9bf6/src/tldts-tests.ts#L1266 1264 | // WHATWG file-host state: an empty buffer means an empty host. 1265 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1266 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1267 | }); 1268 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.0
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/ad2b935aa926d0a9df5420dd2bb55734c929b11a/src/tldts-tests.ts#L1244 1242 | it('returns null for file:/// (empty authority)', () => { 1243 | // WHATWG file-host state: an empty buffer means an empty host. > 1244 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1245 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1246 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/ad2b935aa926d0a9df5420dd2bb55734c929b11a/src/tldts-tests.ts#L1245 1243 | // WHATWG file-host state: an empty buffer means an empty host. 1244 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1245 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1246 | }); 1247 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.2
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/5525709c41c747be080a500ae507faf2883c6afd/src/tldts-tests.ts#L1165 1163 | it('returns null for file:/// (empty authority)', () => { 1164 | // WHATWG file-host state: an empty buffer means an empty host. > 1165 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1166 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1167 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/5525709c41c747be080a500ae507faf2883c6afd/src/tldts-tests.ts#L1166 1164 | // WHATWG file-host state: an empty buffer means an empty host. 1165 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1166 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1167 | }); 1168 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.1
3 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/54cf9e31f5632d60e766684108ba50c6ddf60b61/src/tldts-tests.ts#L1165 1163 | it('returns null for file:/// (empty authority)', () => { 1164 | // WHATWG file-host state: an empty buffer means an empty host. > 1165 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); 1166 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1167 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: ssh://[email protected]/remusao/tldts/blob/54cf9e31f5632d60e766684108ba50c6ddf60b61/src/tldts-tests.ts#L1166 1164 | // WHATWG file-host state: an empty buffer means an empty host. 1165 | expect(tldts.getHostname('file:///etc/passwd')).to.equal(null); > 1166 | expect(tldts.getHostname('file:/etc/passwd')).to.equal(null); 1167 | }); 1168 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.