← Home

@credo-ts/drizzle-storage

npm Repository Homepage
5
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

openwalletfoundationtimoglastragenaris

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Package migrated to GitHub Actions CI publishing with SLSA attestation; stable pattern for this org going forward. ai
maintainer-change maintainer-added AI (maintainer-change): genaris is a known contributor in the openwallet-foundation/credo-ts project; legitimate maintainer addition. ai
dependencies unvetted-dep:shell AI (dependencies): shell is used in CLI migration tooling to spawn child processes; consistent with package purpose across versions. ai
phantom-deps phantom-dep:class-validator AI (phantom-deps): class-validator used via decorators in config files; false positive for this framework. ai
semgrep semgrep:env-spread AI (semgrep): env-spread is in CLI migration subprocess spawn — standard pattern for inheriting env in child process, not a data leak. ai
phantom-deps phantom-dep:class-transformer AI (phantom-deps): class-transformer used via decorators in config files; false positive for this framework. ai
phantom-deps phantom-dep:zod AI (phantom-deps): zod is a declared runtime dep used in config files; phantom-dep heuristic is a false positive here. ai
phantom-deps phantom-dep:tsyringe AI (phantom-deps): tsyringe is a declared runtime dep used via decorators/config; false positive for this framework. ai

Versions (showing 5 of 5)

Version Deps Published
0.7.0 14 / 6
0.6.3 14 / 6
0.6.2 14 / 6
0.6.1 14 / 6
0.6.0 14 / 6

v0.6.3

4 findings
HIGH env-spread: cli-build/generate-migrations.mjs:22 semgrep

Spreading entire process.env into an object — may capture all secrets 20 | encoding: "utf-8", 21 | stdio: "inherit", > 22 | env: { 23 | ...process.env, 24 | DRIZZLE_DIALECT: dialect,

HIGH env-spread: cli-build/run-migrations.mjs:18 semgrep

Spreading entire process.env into an object — may capture all secrets 16 | ], { 17 | encoding: "utf-8", > 18 | env: { 19 | ...process.env, 20 | DRIZZLE_DATABASE_URL: database.url,

HIGH env-spread: cli-build/run-studio.mjs:13 semgrep

Spreading entire process.env into an object — may capture all secrets 11 | "--config", 12 | drizzleConfigPath > 13 | ], { env: { 14 | ...process.env, 15 | DRIZZLE_DATABASE_URL: database.url,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.2

2 findings
HIGH Publisher changed: openwalletfoundation → GitHub Actions (on 2026-02-04) provenance

This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.