@dagucloud/dagu GPL-3.0 6 versions

@dagucloud/dagu

npm Repository Homepage

A powerful Workflow Orchestration Engine with simple declarative YAML API. Zero-dependency, single binary for Linux, macOS, and Windows.

6

Versions

GPL-3.0

License

Yes

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

yottahmd

Keywords

workflowautomationorchestrationdagpipelineschedulertask-runnerworkflow-enginedevopsci-cd

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall extracts platform-specific prebuilt binary from optional deps; standard binary distribution pattern.	ai	2026/05/12
semgrep	semgrep:child-process-import	AI (semgrep): child_process used in install.js for binary extraction/setup; consistent with prebuilt binary distribution.	ai	2026/05/12
phantom-deps	phantom-dep:tar	AI (phantom-deps): tar is a declared dependency used in install.js for binary extraction; phantom-dep heuristic is a false positive here.	ai	2026/05/12

Versions (showing 6 of 6)

Version	Deps	Published
2.7.4	1 / 0	2026-05-22
2.7.3	1 / 0	2026-05-19
2.7.2	1 / 0	2026-05-18
2.6.10	1 / 0	2026-05-13
2.6.8	1 / 0	2026-05-10
2.6.5	1 / 0	2026-05-04

v2.7.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.8

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node ./install.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.5

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node ./install.js

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.