toffee
A NodeJs and browser-side templating language based on CoffeeScript with slicker tokens and syntax.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): toffee 0.0.0 is a legitimate ~13-year-old initial release from a trusted publisher with 80 subsequent versions. The 0.0.0 version number reflects early npm era conventions, not malicious intent. | ai | |
| source-diff | net-exec-file:test/express4/public/javascripts/jquery-1.9.0.min.js | AI (source-diff): This is the canonical jQuery v1.9.0 minified library in a test fixture directory. Network+eval patterns are expected jQuery behavior, not malware. | ai | |
| source-diff | net-exec-file:test/express4_error_handling/public/javascripts/jquery-1.9.0.min.js | AI (source-diff): This is the canonical jQuery v1.9.0 minified library in a test fixture directory. Network+eval patterns are expected jQuery behavior, not malware. | ai | |
| source-diff | obfuscated-file:test/express4_error_handling/public/javascripts/test_cases.js | AI (source-diff): File is compiled toffee template output for test fixtures, referencing toffee's own runtime API. Long lines are expected from compiled template bundles, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:test/express3_error_handling/public/javascripts/test_cases.js | AI (source-diff): File is compiled toffee template output in a test directory, not malicious obfuscation. Long lines are a result of template compilation. | ai | |
| source-diff | net-exec-file:test/express3_error_handling/public/javascripts/jquery-1.9.0.min.js | AI (source-diff): This is the canonical jQuery 1.9.0 minified library in a test fixture directory. Not a runtime dependency; no supply-chain risk. | ai | |
| source-diff | net-exec-file:test/express3/public/javascripts/jquery-1.9.0.min.js | AI (source-diff): This is the canonical jQuery 1.9.0 minified library used as a test fixture. Network+eval patterns are expected in jQuery; file is under test/ and not a runtime dependency. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in browser.js evaluates compiled CoffeeScript — this is the core mechanism of a CoffeeScript template engine and is stable/expected behavior for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in command.js (CLI tool entry point); standard for any CLI that needs to spawn subprocesses. Stable for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in command.js implements a --require flag for user-specified modules, a standard CLI pattern. Stable for this package. | ai |
Versions (showing 51 of 80)
| Version | Deps | Published |
|---|---|---|
| 0.3.7 | 5 / 8 | |
| 0.3.6 | 5 / 8 | |
| 0.3.5 | 4 / 8 | |
| 0.3.4 | 4 / 8 | |
| 0.3.2 | 4 / 8 | |
| 0.3.1 | 4 / 8 | |
| 0.3.0 | 4 / 8 | |
| 0.2.1 | 4 / 6 | |
| 0.2.0 | 4 / 6 | |
| 0.1.13 | 5 / 6 | |
| 0.1.12 | 5 / 6 | |
| 0.1.11 | 5 / 6 | |
| 0.1.10 | 5 / 6 | |
| 0.1.9 | 5 / 6 | |
| 0.1.8 | 5 / 6 | |
| 0.1.7 | 5 / 4 | |
| 0.1.6 | 5 / 4 | |
| 0.1.5 | 5 / 4 | |
| 0.1.4 | 4 / 4 | |
| 0.1.3 | 4 / 4 | |
| 0.1.2 | 4 / 4 | |
| 0.1.1 | 4 / 4 | |
| 0.1.0 | 4 / 4 | |
| 0.0.64 | 4 / 3 | |
| 0.0.63 | 4 / 3 | |
| 0.0.62 | 4 / 1 | |
| 0.0.61 | 4 / 1 | |
| 0.0.60 | 4 / 1 | |
| 0.0.59 | 4 / 1 | |
| 0.0.58 | 4 / 1 | |
| 0.0.57 | 4 / 1 | |
| 0.0.56 | 4 / 1 | |
| 0.0.55 | 4 / 1 | |
| 0.0.53 | 4 / 1 | |
| 0.0.52 | 4 / 1 | |
| 0.0.51 | 4 / 1 | |
| 0.0.50 | 4 / 1 | |
| 0.0.49 | 4 / 1 | |
| 0.0.48 | 4 / 1 | |
| 0.0.47 | 4 / 1 | |
| 0.0.45 | 4 / 1 | |
| 0.0.44 | 4 / 1 | |
| 0.0.43 | 4 / 1 | |
| 0.0.42 | 3 / 3 | |
| 0.0.41 | 3 / 0 | |
| 0.0.40 | 3 / 0 | |
| 0.0.39 | 3 / 0 | |
| 0.0.38 | 2 / 0 | |
| 0.0.37 | 2 / 0 | |
| 0.0.36 | 2 / 0 | |
| 0.0.35 | 2 / 0 |
v0.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
4 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.64
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.63
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.62
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.61
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.60
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.59
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.58
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.57
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.56
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.55
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.53
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.52
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.51
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.50
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.49
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.48
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.47
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.45
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.44
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.43
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.42
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.41
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.40
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.39
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.38
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.37
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.