@mongosh/cli-repl
MongoDB Shell CLI REPL Package
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env in smoke-tests.js is standard test harness behavior for a CLI tool. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is the core mechanism of a REPL; expected and intentional in node-repl-fix-history-rewrite-on-error.js. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require of builtins is a documented webpack compatibility pattern in mongosh. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in smoke-tests.js to spawn the shell binary; expected for a CLI test harness. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is used for TLS certificate thumbprint lookup; legitimate and documented use. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 2.8.3 | 34 / 17 | |
| 2.8.2 | 32 / 17 | |
| 2.8.1 | 32 / 17 | |
| 2.7.0 | 32 / 17 | |
| 2.6.0 | 32 / 17 | |
| 2.5.10 | 33 / 18 | |
| 2.5.9 | 32 / 18 | |
| 2.5.8 | 31 / 18 | |
| 2.5.7 | 31 / 18 | |
| 2.5.6 | 31 / 18 | |
| 2.5.5 | 31 / 18 | |
| 2.5.3 | 31 / 18 | |
| 2.5.2 | 31 / 18 | |
| 2.5.1 | 31 / 18 |
v2.8.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/mongodb-js/mongosh/blob/d5a0d964b21e3dc651a3a8391f21c87117e74514/lib/smoke-tests.js#L328 326 | const proc = (0, child_process_1.spawn)(executable, [...args], { 327 | stdio: 'pipe', > 328 | env: { ...process.env, ...env }, 329 | }); 330 | proc.stdin.on('error', (e) => {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.