@jsreport/jsreport-npm
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Intentional: passes current env to npm subprocess with one override; standard pattern for npm invocation. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Core functionality of this package is running npm install via child_process; not malicious. | ai |
v4.1.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/jsreport/jsreport/blob/daba8f2fb90c464f44b09f8a446792341eeb3c8a/lib/worker.js#L88 86 | reporter.logger.debug(`npm install started ${moduleNameAndVersion}`, req) 87 | const { stdout, stderr } = await exec(`npm i --prefix=${prefix} ${moduleNameAndVersion}`, { > 88 | env: { 89 | ...process.env, 90 | npm_config_cache: path.join(rootPrefix, 'cache')
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/jsreport/jsreport/blob/b37565a48080fd362b32e6fe37a7070da3da2ef1/lib/worker.js#L88 86 | reporter.logger.debug(`npm install started ${moduleNameAndVersion}`, req) 87 | const { stdout, stderr } = await exec(`npm i --prefix=${prefix} ${moduleNameAndVersion}`, { > 88 | env: { 89 | ...process.env, 90 | npm_config_cache: path.join(rootPrefix, 'cache')
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.