@boundaryml/baml
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): execSync('ldd --version') is standard napi-rs pattern to detect musl vs glibc for selecting the correct prebuilt binary. Stable and benign for this package. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync('ldd --version') is standard napi-rs musl detection pattern. Fixed command, no user input, no arbitrary execution risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): require(NAPI_RS_NATIVE_LIBRARY_PATH) is a documented napi-rs escape hatch for overriding native library path. Standard pattern for this type of package. | ai | |
| phantom-deps | phantom-dep:@scarf/scarf | AI (phantom-deps): @scarf/scarf is a legitimate telemetry dependency declared in package.json; it is loaded via package.json config rather than explicit require(), so phantom-dep detection is a false positive here. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 0.222.0 | 1 / 9 | |
| 0.221.0 | 1 / 9 | |
| 0.220.0 | 1 / 9 | |
| 0.219.0 | 1 / 9 | |
| 0.218.1 | 1 / 9 | |
| 0.218.0 | 1 / 9 | |
| 0.217.0 | 1 / 9 | |
| 0.216.0 | 1 / 9 | |
| 0.215.2 | 1 / 9 | |
| 0.215.0 | 1 / 9 | |
| 0.214.0 | 1 / 9 | |
| 0.213.0 | 1 / 9 | |
| 0.212.0 | 1 / 9 | |
| 0.202.1 | 1 / 9 | |
| 0.201.0 | 1 / 9 | |
| 0.200.0 | 1 / 9 | |
| 0.90.2 | 1 / 9 | |
| 0.90.1 | 1 / 9 | |
| 0.90.0 | 1 / 9 | |
| 0.89.0 | 1 / 9 | |
| 0.88.0 | 1 / 9 | |
| 0.87.2 | 1 / 9 | |
| 0.87.1 | 1 / 9 | |
| 0.87.0 | 1 / 9 | |
| 0.86.1 | 1 / 9 | |
| 0.86.0 | 1 / 9 |
v0.221.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.202.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sxlijin.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.201.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.200.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.90.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.90.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.90.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.89.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.88.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.87.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.87.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.87.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.86.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.86.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.