waterline
An ORM for Node.js and the Sails framework
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): This is the standard Google Code Prettify minified JS bundled by Istanbul into lcov HTML coverage reports. Not malicious — coverage artifacts accidentally committed to the package. | ai | |
| source-diff | obfuscated-file:lib/waterline/utils/query/private/is-valid-attribute-name.js | AI (source-diff): The long line is a comprehensive Unicode character-class regex for ECMAScript identifier validation — a well-known pattern, not obfuscation. Code is otherwise readable and well-structured. | ai | |
| provenance | missing-githead | AI (provenance): Waterline is a long-established, well-known ORM package. Missing gitHead is a publish environment change, not a security signal, given the publisher's strong track record and no material code changes. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is Waterline's intentional adapter-loading mechanism — adapters are loaded by identity name as part of the ORM's plugin architecture. Not a security risk in this context. | ai | |
| provenance | no-provenance | AI (provenance): Package was first published ~13 years ago, long before npm Sigstore provenance existed. No provenance is expected and not a meaningful risk signal for this package. | ai | |
| phantom-deps | phantom-dep:microtime | AI (phantom-deps): microtime is declared in package.json and used via dynamic loading; legitimate pattern for this package. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): fs-extra is declared in package.json and used via dynamic loading; legitimate pattern for this package. | ai | |
| phantom-deps | phantom-dep:require-all | AI (phantom-deps): require-all is declared in package.json and used via dynamic loading; legitimate pattern for this package. | ai | |
| phantom-deps | phantom-dep:dirty | AI (phantom-deps): dirty is a declared optional adapter dependency for an early-stage multi-backend ORM; not directly imported at top level but legitimately referenced in config/adapter files. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): waterline 0.0.0 is the genuine first release of a well-established ORM (13+ years old, 165 versions, published by balderdashy). The 0.0.0 version is a legitimate bootstrap release, not a malicious throwaway. | ai | |
| phantom-deps | phantom-dep:mysql | AI (phantom-deps): mysql is a declared optional adapter dependency for Waterline's MySQL backend; not directly imported at top level but legitimately referenced in adapter config. | ai | |
| phantom-deps | phantom-dep:node-uuid | AI (phantom-deps): node-uuid is a declared utility dependency for Waterline; its indirect import pattern is consistent with early-stage ORM architecture. | ai | |
| provenance | publisher-changed | AI (provenance): mikermcneil is the Sails.js/Balderdashy founder with 1477 approved packages; this is a legitimate maintainer transition back to the core author, not a compromise. | ai |
Versions (showing 100 of 104)
| Version | Deps | Published |
|---|---|---|
| 0.15.2 | 10 / 2 | |
| 0.15.1 | 10 / 2 | |
| 0.15.0 | 10 / 2 | |
| 0.13.6 | 10 / 2 | |
| 0.13.5 | 10 / 2 | |
| 0.13.4 | 10 / 2 | |
| 0.13.3 | 10 / 2 | |
| 0.13.2 | 10 / 2 | |
| 0.13.1 | 10 / 2 | |
| 0.12.2 | 9 / 8 | |
| 0.12.1 | 9 / 8 | |
| 0.12.0 | 9 / 8 | |
| 0.11.12 | 9 / 8 | |
| 0.11.11 | 9 / 8 | |
| 0.11.10 | 9 / 8 | |
| 0.11.9 | 9 / 8 | |
| 0.11.8 | 9 / 8 | |
| 0.11.7 | 9 / 8 | |
| 0.11.6 | 9 / 8 | |
| 0.11.5 | 9 / 8 | |
| 0.11.4 | 9 / 8 | |
| 0.11.2 | 9 / 8 | |
| 0.11.1 | 9 / 8 | |
| 0.11.0 | 9 / 8 | |
| 0.10.31 | 9 / 6 | |
| 0.10.30 | 9 / 6 | |
| 0.10.29 | 9 / 6 | |
| 0.10.28 | 9 / 6 | |
| 0.10.27 | 9 / 6 | |
| 0.10.26 | 9 / 6 | |
| 0.10.25 | 9 / 6 | |
| 0.10.24 | 9 / 6 | |
| 0.10.23 | 9 / 6 | |
| 0.10.22 | 9 / 6 | |
| 0.10.21 | 9 / 5 | |
| 0.10.20 | 9 / 5 | |
| 0.10.19 | 9 / 2 | |
| 0.10.18 | 9 / 2 | |
| 0.10.17 | 9 / 2 | |
| 0.10.16 | 9 / 2 | |
| 0.10.15 | 9 / 2 | |
| 0.10.14 | 9 / 2 | |
| 0.10.13 | 9 / 2 | |
| 0.10.12 | 9 / 2 | |
| 0.10.11 | 9 / 2 | |
| 0.10.10 | 9 / 2 | |
| 0.10.9 | 9 / 2 | |
| 0.10.8 | 9 / 2 | |
| 0.10.7 | 9 / 2 | |
| 0.10.6 | 9 / 2 | |
| 0.10.5 | 9 / 2 | |
| 0.10.4 | 9 / 2 | |
| 0.10.3 | 9 / 2 | |
| 0.10.2 | 9 / 2 | |
| 0.10.1 | 9 / 2 | |
| 0.9.16 | 4 / 1 | |
| 0.9.15 | 4 / 1 | |
| 0.9.14 | 4 / 1 | |
| 0.9.13 | 4 / 1 | |
| 0.9.12 | 4 / 1 | |
| 0.9.11 | 4 / 1 | |
| 0.9.10 | 4 / 1 | |
| 0.9.9 | 4 / 1 | |
| 0.9.8 | 4 / 1 | |
| 0.9.7 | 4 / 1 | |
| 0.9.6 | 4 / 1 | |
| 0.9.5 | 4 / 1 | |
| 0.9.4 | 4 / 1 | |
| 0.9.3 | 4 / 1 | |
| 0.9.2 | 4 / 1 | |
| 0.9.1 | 4 / 1 | |
| 0.9.0 | 4 / 1 | |
| 0.6.1 | 9 / 3 | |
| 0.6.0 | 9 / 3 | |
| 0.5.2 | 9 / 3 | |
| 0.5.1 | 9 / 0 | |
| 0.5.0 | 9 / 0 | |
| 0.4.7 | 9 / 0 | |
| 0.4.6 | 9 / 0 | |
| 0.4.5 | 9 / 0 | |
| 0.4.4 | 9 / 0 | |
| 0.4.2 | 9 / 0 | |
| 0.4.1 | 11 / 0 | |
| 0.4.0 | 11 / 0 | |
| 0.3.0 | 11 / 0 | |
| 0.2.0 | 11 / 0 | |
| 0.1.5 | 11 / 0 | |
| 0.1.4 | 14 / 0 | |
| 0.1.3 | 14 / 0 | |
| 0.1.1 | 14 / 0 | |
| 0.1.0 | 13 / 0 | |
| 0.0.5205 | 11 / 0 | |
| 0.0.5204 | 10 / 0 | |
| 0.0.5202 | 10 / 0 | |
| 0.0.5201 | 10 / 0 | |
| 0.0.52 | 10 / 0 | |
| 0.0.51 | 9 / 0 | |
| 0.0.7 | 11 / 0 | |
| 0.0.6 | 11 / 0 | |
| 0.0.5 | 8 / 0 |
v0.15.2
2 findingsThis version was published by a different npm account than previous versions on 2022-12-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-10-22. This could indicate a legitimate maintainer transition or an account compromise.
v0.13.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-02-08. This could indicate a legitimate maintainer transition or an account compromise.
v0.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-09-25. This could indicate a legitimate maintainer transition or an account compromise.
v0.11.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-03-06. This could indicate a legitimate maintainer transition or an account compromise.
v0.11.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-02-15. This could indicate a legitimate maintainer transition or an account compromise.
v0.11.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-01-17. This could indicate a legitimate maintainer transition or an account compromise.
v0.11.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-11-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.11.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-10-05. This could indicate a legitimate maintainer transition or an account compromise.
v0.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.15
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-01-06. This could indicate a legitimate maintainer transition or an account compromise.
v0.10.14
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sgress454.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-11-17. This could indicate a legitimate maintainer transition or an account compromise.
v0.10.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-10-24. This could indicate a legitimate maintainer transition or an account compromise.
v0.10.11
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sgress454.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2014-10-02. This could indicate a legitimate maintainer transition or an account compromise.
v0.10.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.4
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: balderdashy.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-06-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.3
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: balderdashy.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-06-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.1
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: balderdashy.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-06-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5205
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5204
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5202
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5201
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.52
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.51
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.