@frontmcp/nx
Nx plugin for FrontMCP — generators and executors for building MCP servers
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): Nx executor legitimately spawns build commands via child_process; stable pattern for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Passing process.env to a spawned build process is standard Nx executor practice, not exfiltration. | ai | |
| typosquat | typosquat.levenshtein:next | AI (typosquat): Scoped @frontmcp/nx package named after Nx build system, not impersonating 'next'. | ai | |
| typosquat | typosquat.levenshtein:nuxt | AI (typosquat): Scoped @frontmcp/nx package named after Nx build system, not impersonating 'nuxt'. | ai | |
| typosquat | typosquat.levenshtein:knex | AI (typosquat): Scoped @frontmcp/nx package named after Nx build system, not impersonating 'knex'. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped @frontmcp/nx package named after Nx build system, not impersonating 'pg'. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): Scoped @frontmcp/nx package named after Nx build system, not impersonating 'qs'. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.3.0 | 3 / 0 | |
| 1.2.1 | 3 / 0 | |
| 1.2.0 | 3 / 0 | |
| 1.1.2 | 3 / 0 | |
| 1.1.1 | 3 / 0 | |
| 1.1.0 | 3 / 0 | |
| 1.0.4 | 3 / 0 | |
| 1.0.3 | 3 / 0 | |
| 1.0.2 | 3 / 0 | |
| 1.0.1 | 3 / 0 | |
| 1.0.0 | 3 / 0 | |
| 0.12.2 | 2 / 0 | |
| 0.12.1 | 2 / 0 | |
| 0.0.1 | 2 / 0 |
v1.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.1
6 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5bc4d462bb67cae68f17c4eec31149687250cb69/executors/build-exec/build-exec.impl.js#L17 15 | cwd: context.root, 16 | stdio: 'inherit', > 17 | env: { ...process.env, FORCE_COLOR: '1' }, 18 | }); 19 | return { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5bc4d462bb67cae68f17c4eec31149687250cb69/executors/deploy/deploy.impl.js#L25 23 | cwd: `${context.root}/${projectRoot}`, 24 | stdio: 'inherit', > 25 | env: { ...process.env, FORCE_COLOR: '1' }, 26 | }); 27 | return { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5bc4d462bb67cae68f17c4eec31149687250cb69/executors/dev/dev.impl.js#L15 13 | cwd: context.root, 14 | stdio: 'inherit', > 15 | env: { ...process.env, FORCE_COLOR: '1' }, 16 | }); 17 | yield { success: true, ...(options.port !== undefined && { baseUrl: `http://localhost:${options.port}` }) };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5bc4d462bb67cae68f17c4eec31149687250cb69/executors/inspector/inspector.impl.js#L13 11 | cwd: context.root, 12 | stdio: 'inherit', > 13 | env: { ...process.env, FORCE_COLOR: '1' }, 14 | }); 15 | yield { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5bc4d462bb67cae68f17c4eec31149687250cb69/executors/serve/serve.impl.js#L19 17 | cwd: context.root, 18 | stdio: 'inherit', > 19 | env: { ...process.env, FORCE_COLOR: '1' }, 20 | }); 21 | yield { success: true };
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.0
6 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/76ebffec7a656de03aa2ccf40378dd2d76a57218/executors/build-exec/build-exec.impl.js#L17 15 | cwd: context.root, 16 | stdio: 'inherit', > 17 | env: { ...process.env, FORCE_COLOR: '1' }, 18 | }); 19 | return { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/76ebffec7a656de03aa2ccf40378dd2d76a57218/executors/deploy/deploy.impl.js#L25 23 | cwd: `${context.root}/${projectRoot}`, 24 | stdio: 'inherit', > 25 | env: { ...process.env, FORCE_COLOR: '1' }, 26 | }); 27 | return { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/76ebffec7a656de03aa2ccf40378dd2d76a57218/executors/dev/dev.impl.js#L15 13 | cwd: context.root, 14 | stdio: 'inherit', > 15 | env: { ...process.env, FORCE_COLOR: '1' }, 16 | }); 17 | yield { success: true, ...(options.port !== undefined && { baseUrl: `http://localhost:${options.port}` }) };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/76ebffec7a656de03aa2ccf40378dd2d76a57218/executors/inspector/inspector.impl.js#L13 11 | cwd: context.root, 12 | stdio: 'inherit', > 13 | env: { ...process.env, FORCE_COLOR: '1' }, 14 | }); 15 | yield { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/76ebffec7a656de03aa2ccf40378dd2d76a57218/executors/serve/serve.impl.js#L19 17 | cwd: context.root, 18 | stdio: 'inherit', > 19 | env: { ...process.env, FORCE_COLOR: '1' }, 20 | }); 21 | yield { success: true };
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.1
6 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5c6f287d677179f341b3d895523acbc12eb5c194/executors/build-exec/build-exec.impl.js#L17 15 | cwd: context.root, 16 | stdio: 'inherit', > 17 | env: { ...process.env, FORCE_COLOR: '1' }, 18 | }); 19 | return { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5c6f287d677179f341b3d895523acbc12eb5c194/executors/deploy/deploy.impl.js#L25 23 | cwd: `${context.root}/${projectRoot}`, 24 | stdio: 'inherit', > 25 | env: { ...process.env, FORCE_COLOR: '1' }, 26 | }); 27 | return { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5c6f287d677179f341b3d895523acbc12eb5c194/executors/dev/dev.impl.js#L15 13 | cwd: context.root, 14 | stdio: 'inherit', > 15 | env: { ...process.env, FORCE_COLOR: '1' }, 16 | }); 17 | yield { success: true, ...(options.port !== undefined && { baseUrl: `http://localhost:${options.port}` }) };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5c6f287d677179f341b3d895523acbc12eb5c194/executors/inspector/inspector.impl.js#L13 11 | cwd: context.root, 12 | stdio: 'inherit', > 13 | env: { ...process.env, FORCE_COLOR: '1' }, 14 | }); 15 | yield { success: true };
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/agentfront/frontmcp/blob/5c6f287d677179f341b3d895523acbc12eb5c194/executors/serve/serve.impl.js#L19 17 | cwd: context.root, 18 | stdio: 'inherit', > 19 | env: { ...process.env, FORCE_COLOR: '1' }, 20 | }); 21 | yield { success: true };
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.