@lenne.tech/nest-server
Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): env spread is used only to inject ANTHROPIC_API_KEY for Claude CLI provider; not exfiltration. | ai | |
| phantom-deps | phantom-dep:@apollo/server | AI (phantom-deps): Optional peer/integration dep; referenced in config but not directly imported — stable pattern for this framework package. | ai | |
| phantom-deps | phantom-dep:light-my-request | AI (phantom-deps): Testing utility; not directly imported in main source. | ai | |
| phantom-deps | phantom-dep:@apollo/gateway | AI (phantom-deps): Optional peer/framework dep referenced in config; not directly imported in source. | ai | |
| phantom-deps | phantom-dep:nodemon | AI (phantom-deps): Dev/start tooling referenced in scripts; not a runtime import. | ai | |
| phantom-deps | phantom-dep:apollo-server-express | AI (phantom-deps): Framework peer dep; not directly imported in main source. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): Used in build scripts only; not a runtime import. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:ts-jest | AI (phantom-deps): ts-jest is referenced in jest config within package.json; phantom-dep heuristic fires but it's a legitimate config-only reference. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads a resolved CLI path variable, not arbitrary user input; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@as-integrations/express5 | AI (phantom-deps): Apollo/Express integration loaded by convention. | ai | |
| phantom-deps | phantom-dep:json-to-graphql-query | AI (phantom-deps): Config-referenced utility; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@nestjs/websockets | AI (phantom-deps): NestJS peer dep loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@types/supertest | AI (phantom-deps): Type-only package, framework-scoped. | ai | |
| phantom-deps | phantom-dep:supertest | AI (phantom-deps): Test utility referenced by convention, not a runtime import. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decodes TUS upload metadata values — standard protocol handling, not obfuscation. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Used in crypto.timingSafeEqual for key comparison — legitimate cryptographic use. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 11.26.2 | 49 / 35 | |
| 11.26.1 | 49 / 35 | |
| 11.26.0 | 49 / 35 | |
| 11.25.6 | 48 / 35 | |
| 11.25.5 | 48 / 35 | |
| 11.25.4 | 48 / 35 | |
| 11.25.0 | 48 / 35 | |
| 11.22.1 | 46 / 37 | |
| 11.22.0 | 46 / 37 | |
| 11.21.3 | 46 / 37 | |
| 11.21.1 | 46 / 37 | |
| 11.21.0 | 46 / 37 | |
| 11.20.1 | 46 / 37 | |
| 11.13.4 | 46 / 47 | |
| 11.11.1 | 46 / 53 | |
| 11.10.2 | 46 / 53 | |
| 11.7.3 | 44 / 51 | |
| 11.7.2 | 44 / 51 | |
| 11.6.2 | 44 / 50 | |
| 11.6.0 | 39 / 50 | |
| 11.4.8 | 40 / 48 | |
| 11.4.6 | 40 / 48 | |
| 11.4.1 | 40 / 48 | |
| 11.4.0 | 40 / 48 | |
| 11.1.13 | 45 / 46 |
v11.26.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.26.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.26.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lenneTech/nest-server/blob/f5fe09f2532ae6090b7230872bf41b39ee7bd5e7/src/core/modules/ai/providers/claude-cli.provider.ts#L190 188 | protected run(args: string[], input: string, timeoutMs: number): Promise<string> { 189 | return new Promise<string>((resolve, reject) => { > 190 | const env = { ...process.env }; 191 | if (this.connection.apiKey) { 192 | env.ANTHROPIC_API_KEY = this.connection.apiKey;
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.25.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.25.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.22.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.21.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.21.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.13.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.7.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.6.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.4.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.4.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v11.1.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.