@kosdev-code/kos-nx-plugin

Nx plugin providing generators and executors for KOS UI application development.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

kosdevmatrica_mark

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): NX plugins conventionally use generators.json/migrations.json as entry points; empty main and missing metadata are structural, not spam indicators, for this package type.	ai	2026/04/27
dependencies	unvetted-dep:@nx/react	AI (dependencies): @nx/react is a standard NX ecosystem package; its presence in an NX plugin is expected and benign across all versions.	ai	2026/04/26
dependencies	unvetted-dep:@nx/devkit	AI (dependencies): @nx/devkit is the core NX plugin API; its presence in an NX plugin is expected and benign across all versions.	ai	2026/04/26
install-scripts	install-script:postinstall	AI (install-scripts): The postinstall script is an empty string — it is a no-op and executes nothing. This is a stable false positive for this package.	ai	2026/04/25
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): The raw IP is 127.0.0.1 (localhost), used as a local dev server host in a generator config. No exfiltration risk; stable false positive for this build plugin.	ai	2026/04/25
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used solely to locate Java home directory — standard practice for build plugins interacting with Java tooling. No user-controlled input or arbitrary execution.	ai	2026/04/25