waterline
An ORM for Node.js and the Sails framework
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): This is the standard Google Code Prettify minified JS bundled by Istanbul into lcov HTML coverage reports. Not malicious — coverage artifacts accidentally committed to the package. | ai | |
| source-diff | obfuscated-file:lib/waterline/utils/query/private/is-valid-attribute-name.js | AI (source-diff): The long line is a comprehensive Unicode character-class regex for ECMAScript identifier validation — a well-known pattern, not obfuscation. Code is otherwise readable and well-structured. | ai | |
| provenance | missing-githead | AI (provenance): Waterline is a long-established, well-known ORM package. Missing gitHead is a publish environment change, not a security signal, given the publisher's strong track record and no material code changes. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is Waterline's intentional adapter-loading mechanism — adapters are loaded by identity name as part of the ORM's plugin architecture. Not a security risk in this context. | ai | |
| provenance | no-provenance | AI (provenance): Package was first published ~13 years ago, long before npm Sigstore provenance existed. No provenance is expected and not a meaningful risk signal for this package. | ai | |
| phantom-deps | phantom-dep:microtime | AI (phantom-deps): microtime is declared in package.json and used via dynamic loading; legitimate pattern for this package. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): fs-extra is declared in package.json and used via dynamic loading; legitimate pattern for this package. | ai | |
| phantom-deps | phantom-dep:require-all | AI (phantom-deps): require-all is declared in package.json and used via dynamic loading; legitimate pattern for this package. | ai | |
| phantom-deps | phantom-dep:dirty | AI (phantom-deps): dirty is a declared optional adapter dependency for an early-stage multi-backend ORM; not directly imported at top level but legitimately referenced in config/adapter files. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): waterline 0.0.0 is the genuine first release of a well-established ORM (13+ years old, 165 versions, published by balderdashy). The 0.0.0 version is a legitimate bootstrap release, not a malicious throwaway. | ai | |
| phantom-deps | phantom-dep:mysql | AI (phantom-deps): mysql is a declared optional adapter dependency for Waterline's MySQL backend; not directly imported at top level but legitimately referenced in adapter config. | ai | |
| phantom-deps | phantom-dep:node-uuid | AI (phantom-deps): node-uuid is a declared utility dependency for Waterline; its indirect import pattern is consistent with early-stage ORM architecture. | ai | |
| provenance | publisher-changed | AI (provenance): mikermcneil is the Sails.js/Balderdashy founder with 1477 approved packages; this is a legitimate maintainer transition back to the core author, not a compromise. | ai |
v0.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.