@arcblock/pm2
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): pm2 reads /etc/passwd to enumerate system users for process management; documented upstream behavior. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Process manager inherently uses child_process to spawn/manage Node.js processes; core functionality. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): Version management commands use exec; expected in a process manager CLI tool. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads package.json at runtime path for version bumping; standard pattern in CLI tools. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): HTTP Basic Auth parsing in Serve.js; standard and benign. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): pm2-describe reads env to show process environment diff; expected describe/inspect functionality. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @arcblock/pm2 package is clearly a pm2 fork, not a typosquat of the pg database driver. | ai |
v6.0.12
2 findingsAccessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/Unitech/pm2/blob/10a99564561cf3cef2b571c1fab4a14f9a934e87/lib/tools/passwd.js#L5 3 | 4 | var getUsers = function() { > 5 | return fs.readFileSync('/etc/passwd') 6 | .toString() 7 | .split('\n')
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.