@electron/rebuild — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

electron-cfa

Keywords

electron

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	url-dep:@electron/node-gyp	AI (npm-metadata): Electron/rebuild intentionally pins @electron/node-gyp via git commit hash; stable pattern for this package.	ai	2026/04/27
dependencies	unvetted-dep:@electron/node-gyp	AI (dependencies): Pinned to specific commit in the official electron/node-gyp repo; intentional and stable for this package.	ai	2026/04/27
semgrep	semgrep:env-spread	AI (semgrep): Build tool that invokes node-gyp legitimately needs to pass full process.env to child processes. This is expected behavior for native module rebuild tooling.	ai	2026/04/25
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding in cache.js is used to deserialize cached binary Snap objects — a legitimate caching mechanism, not obfuscated payload.	ai	2026/04/25
typosquat	typosquat.levenshtein:esbuild	AI (typosquat): False positive: @electron/rebuild is a scoped official Electron org package with no relation to esbuild. Levenshtein distance match is coincidental.	ai	2026/04/25

Versions (showing 5 of 5)

Version	Deps	Published
4.0.4	6 / 12	2026-04-21
4.0.3	13 / 23	2026-01-27
4.0.2	13 / 24	2025-12-09
4.0.1	14 / 24	2025-04-30
4.0.0	14 / 24	2025-04-30

v4.0.4

2 findings

HIGH env-spread: lib/module-type/node-gyp/node-gyp.js:80 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/electron/rebuild/blob/21ceb5b60cb3cde1839e3e73dd5ad89b12eab6f6/lib/module-type/node-gyp/node-gyp.js#L80 78 | // throw new Error(`node-gyp does not support building modules with spaces in their path, tried to build: ${ 79 | } > 80 | const env = { 81 | ...process.env, 82 | };

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.