@mui/internal-code-infra
Infra scripts and configs to be used across MUI repos.
2
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
janpotomsmichaldudakmnajdovadiegoandaibrijeshb42siriwatknpmj12albertaarongarciahdav-isoliviertassinari
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:eslint-plugin-testing-library | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-config-prettier | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jsx-a11y | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-config-airbnb-base | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react-hooks | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react-compiler | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:globals | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:emoji-regex | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:typescript-eslint | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-module-utils | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-mocha | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-config-airbnb | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-import | AI (phantom-deps): ESLint config package; deps are used in config files, not directly imported as modules. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Internal MUI infra package; thin README and no keywords are expected for internal tooling. | ai | |
| phantom-deps | phantom-dep:@babel/cli | AI (phantom-deps): CLI tool loaded by convention, not direct import; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:eslint-import-resolver-typescript | AI (phantom-deps): Referenced in ESLint config files by convention, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:@mui/internal-babel-plugin-minify-errors | AI (phantom-deps): Same-org Babel plugin loaded via config, not direct import; stable false positive. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool spreading process.env to subprocess invocations is standard and intentional for this infra package. | ai |
v0.0.2
2 findings
HIGH
env-spread: src/cli/babel.mjs:139
semgrep
Spreading entire process.env into an object — may capture all secrets 137 | preferLocal: true, 138 | localDir: import.meta.dirname, > 139 | env: { 140 | ...process.env, 141 | ...env,
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.