@lowdefy/server-dev
[Apache-2.0](https://github.com/lowdefy/lowdefy/blob/main/LICENSE)
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:react-icons | AI (phantom-deps): Same-org monorepo pattern; resolved transitively. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-qr | AI (phantom-deps): Same-org package; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-color-selectors | AI (phantom-deps): Same-org package; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@lowdefy/operators-moment | AI (phantom-deps): Same-org package; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-markdown | AI (phantom-deps): Same-org package; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@lowdefy/operators-nunjucks | AI (phantom-deps): Same-org package; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@lowdefy/operators-change-case | AI (phantom-deps): Same-org package; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@lowdefy/operators-yaml | AI (phantom-deps): Same-org package; stable false positive for this monorepo package. | ai | |
| phantom-deps | phantom-dep:@lowdefy/layout | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-antd | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/actions-core | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-basic | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/operators-js | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-aggrid | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Dev server spawning Next.js; spreading process.env is standard and intentional for this package. | ai | |
| phantom-deps | phantom-dep:@lowdefy/operators-mql | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-echarts | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-loaders | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/operators-diff | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/operators-uuid | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/blocks-tiptap | AI (phantom-deps): Same-org monorepo dep newly added; stable false positive. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in JS module parser for template engine; consistent with Lowdefy's low-code runtime design. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Plugin loader pattern requiring user-configured plugin names; stable across versions. | ai | |
| phantom-deps | phantom-dep:dayjs | AI (phantom-deps): Well-known dep used transitively; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:process | AI (phantom-deps): Node built-in polyfill listed as dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:react-dom | AI (phantom-deps): Next.js peer dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): CSS tooling dep used via config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@lowdefy/engine | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 5.3.0 | 49 / 3 | |
| 5.2.0 | 48 / 3 | |
| 5.1.0 | 47 / 3 | |
| 5.0.0 | 47 / 3 | |
| 4.7.3 | 42 / 6 | |
| 4.7.2 | 42 / 6 | |
| 4.6.0 | 42 / 6 | |
| 4.5.2 | 40 / 5 | |
| 4.5.1 | 40 / 5 |
v5.3.0
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const nextServer = spawn('node', [context.bin.next, 'start'], { 36 | stdio: ['ignore', 'inherit', 'pipe'], > 37 | env: { 38 | ...process.env, 39 | LOWDEFY_DIRECTORY_CONFIG: context.directories.config,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.2.0
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const nextServer = spawn('node', [context.bin.next, 'start'], { 36 | stdio: ['ignore', 'inherit', 'pipe'], > 37 | env: { 38 | ...process.env, 39 | LOWDEFY_DIRECTORY_CONFIG: context.directories.config,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.0.0
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const nextServer = spawn('node', [context.bin.next, 'start'], { 36 | stdio: ['ignore', 'inherit', 'pipe'], > 37 | env: { 38 | ...process.env, 39 | LOWDEFY_DIRECTORY_CONFIG: context.directories.config,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.7.3
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const nextServer = spawn('node', [context.bin.next, 'start'], { 36 | stdio: ['ignore', 'inherit', 'pipe'], > 37 | env: { 38 | ...process.env, 39 | LOWDEFY_DIRECTORY_CONFIG: context.directories.config,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.7.2
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const nextServer = spawn('node', [context.bin.next, 'start'], { 36 | stdio: ['ignore', 'inherit', 'pipe'], > 37 | env: { 38 | ...process.env, 39 | LOWDEFY_DIRECTORY_CONFIG: context.directories.config,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.6.0
2 findingsSpreading entire process.env into an object — may capture all secrets 35 | const nextServer = spawn('node', [context.bin.next, 'start'], { 36 | stdio: ['ignore', 'inherit', 'pipe'], > 37 | env: { 38 | ...process.env, 39 | LOWDEFY_DIRECTORY_CONFIG: context.directories.config,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.5.2
2 findingsSpreading entire process.env into an object — may capture all secrets 27 | args: [context.bin.next, 'start'], 28 | processOptions: { > 29 | env: { 30 | ...process.env, 31 | LOWDEFY_DIRECTORY_CONFIG: context.directories.config,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.1
2 findingsSpreading entire process.env into an object — may capture all secrets 27 | args: [context.bin.next, 'start'], 28 | processOptions: { > 29 | env: { 30 | ...process.env, 31 | LOWDEFY_DIRECTORY_CONFIG: context.directories.config,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.