@fuzdev/gro
task runner and toolkit extending SvelteKit
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Intentional env pass-through to spawned Deno server process; documented in code comment. | ai | |
| typosquat | typosquat.levenshtein:glob | AI (typosquat): Scoped package @fuzdev/gro; no meaningful similarity to glob beyond edit distance. | ai | |
| typosquat | typosquat.levenshtein:got | AI (typosquat): Scoped package @fuzdev/gro; no meaningful similarity to got beyond edit distance. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit runtime dependency for TypeScript compiled output. | ai | |
| phantom-deps | phantom-dep:esm-env | AI (phantom-deps): Referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:prettier-plugin-svelte | AI (phantom-deps): Plugin referenced in prettier config in package.json; not directly imported in code. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 0.203.0 | 8 / 30 | |
| 0.202.0 | 8 / 30 | |
| 0.201.1 | 9 / 30 | |
| 0.201.0 | 9 / 30 | |
| 0.200.0 | 9 / 30 | |
| 0.199.1 | 9 / 29 | |
| 0.199.0 | 9 / 29 | |
| 0.198.0 | 9 / 29 | |
| 0.197.3 | 9 / 29 | |
| 0.197.2 | 9 / 29 | |
| 0.197.1 | 9 / 29 | |
| 0.197.0 | 9 / 27 | |
| 0.196.0 | 9 / 26 | |
| 0.195.2 | 9 / 26 | |
| 0.195.1 | 9 / 26 | |
| 0.195.0 | 9 / 26 | |
| 0.194.0 | 9 / 26 | |
| 0.193.0 | 9 / 26 | |
| 0.192.1 | 9 / 26 | |
| 0.192.0 | 9 / 26 |
v0.203.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.202.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.201.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.201.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.200.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.199.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.199.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/fuzdev/gro/blob/df2375376b242d7c7f31bbd0920a3194d9adab0c/src/lib/gro_plugin_deno_server.ts#L110 108 | // Extend process.env rather than replacing it (need PATH, HOME, etc.) 109 | server_process = spawn_restartable_process('deno', args, { > 110 | env: { 111 | ...process.env, 112 | PORT: String(port),
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/fuzdev/gro/blob/df2375376b242d7c7f31bbd0920a3194d9adab0c/src/lib/typecheck.task.ts#L46 44 | const spawned = await spawn_cli_process(found_svelte_check_cli, serialized, undefined, { 45 | stdio: ['inherit', 'pipe', 'pipe'], > 46 | env: {...process.env, FORCE_COLOR: '1'}, // Needed for colors (maybe make an option) 47 | }); 48 |
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.198.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.197.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.197.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.197.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.197.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.196.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.195.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.195.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.195.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.194.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.193.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.192.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.192.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.