@nx/angular — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

nrwlownernrwl-jasonjack-nrwlmaxklessjameshenry

Keywords

MonorepoAngularJestCypressCLIFront-end

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:src/plugins/utils/vitest.js	AI (source-diff): Standard ESM dynamic-import workaround in CJS plus fs.readdir for config discovery; not malicious.	ai	2026/05/28
semgrep	semgrep:env-spread	AI (semgrep): Standard build-tool pattern: passing process.env to child worker for stylesheet processing; not exfiltration.	ai	2026/05/24
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require of user-supplied module federation config path is the documented plugin behavior, not arbitrary code execution.	ai	2026/05/23
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function used solely as ESM dynamic import shim for environments lacking native import(); stable pattern in this package.	ai	2026/05/23
phantom-deps	phantom-dep:@nx/rspack	AI (phantom-deps): Same-org optional peer/dep; phantom-dep false positive for this monorepo package.	ai	2026/05/23

Versions (showing 50 of 50)

Version	Deps	Published
22.7.5	17 / 0	2026-05-27
22.7.4	17 / 0	2026-05-25
22.7.3	17 / 0	2026-05-22
22.7.2	17 / 0	2026-05-14
22.7.1	17 / 0	2026-04-28
22.7.0	17 / 0	2026-04-24
22.6.5	17 / 0	2026-04-10
22.6.4	17 / 0	2026-04-01
22.6.3	17 / 0	2026-03-27
22.6.2	17 / 0	2026-03-26
22.6.1	17 / 0	2026-03-20
22.6.0	17 / 0	2026-03-18
22.5.4	17 / 0	2026-03-04
22.5.3	17 / 0	2026-02-26
22.5.2	17 / 0	2026-02-20
22.5.1	17 / 0	2026-02-13
22.5.0	17 / 0	2026-02-09
22.4.5	17 / 0	2026-02-03
22.4.4	17 / 0	2026-01-30
22.4.3	17 / 0	2026-01-29
22.4.2	17 / 0	2026-01-26
22.4.1	17 / 0	2026-01-22
22.4.0	17 / 0	2026-01-21
22.3.3	17 / 0	2025-12-19
22.3.2	17 / 0	2025-12-19
22.3.1	17 / 0	2025-12-18
22.3.0	17 / 0	2025-12-17
22.2.7	17 / 0	2025-12-16
22.2.6	17 / 0	2025-12-16
22.2.5	17 / 0	2025-12-16
22.2.4	17 / 0	2025-12-15
22.2.3	17 / 0	2025-12-12
22.2.2	17 / 0	2025-12-12
22.2.1	17 / 0	2025-12-11
22.2.0	17 / 0	2025-12-08
22.1.3	17 / 0	2025-11-27
22.1.2	17 / 0	2025-11-26
22.1.1	17 / 0	2025-11-22
22.1.0	17 / 0	2025-11-19
22.0.4	17 / 0	2025-11-17
22.0.3	17 / 0	2025-11-10
22.0.2	17 / 0	2025-10-28
22.0.1	17 / 0	2025-10-22
22.0.0	17 / 0	2025-10-22
21.6.11	17 / 0	2026-04-17
21.6.10	17 / 0	2025-11-27
21.6.9	17 / 0	2025-11-18
21.3.12	17 / 0	2026-02-11
20.8.4	18 / 0	2026-01-12
20.8.3	18 / 0	2025-11-21

v22.7.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.7.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.7.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.7.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.7.0

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.3

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.2

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.1

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.0

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.4

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.3

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.2

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.1

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.0

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.5

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.4

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.3

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.2

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.1

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.0

2 findings

HIGH New file with network + code execution: src/plugins/utils/vitest.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.3.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.3.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.7

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.6

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.5

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.4

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.3

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.2

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.1

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.0

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.3

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.2

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.1

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.0

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.4

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.3

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.2

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.1

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.0

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.6.10

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.6.9

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.3.12

2 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:87 semgrep

Spreading entire process.env into an object — may capture all secrets 85 | maxThreads, 86 | recordTiming: false, > 87 | env: { 88 | ...process.env, 89 | FORCE_COLOR: '' + colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.8.4

3 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:98 semgrep

Spreading entire process.env into an object — may capture all secrets 96 | maxThreads, 97 | recordTiming: false, > 98 | env: { 99 | ...process.env, 100 | FORCE_COLOR: '' + color_1.colors.enabled,

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:176 semgrep

Spreading entire process.env into an object — may capture all secrets 174 | maxThreads, 175 | recordTiming: false, > 176 | env: { 177 | ...process.env, 178 | FORCE_COLOR: '' + color_1.colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.8.3

3 findings

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:98 semgrep

Spreading entire process.env into an object — may capture all secrets 96 | maxThreads, 97 | recordTiming: false, > 98 | env: { 99 | ...process.env, 100 | FORCE_COLOR: '' + color_1.colors.enabled,

HIGH env-spread: src/executors/utilities/ng-packagr/pre-v19/stylesheet-processor.js:176 semgrep

Spreading entire process.env into an object — may capture all secrets 174 | maxThreads, 175 | recordTiming: false, > 176 | env: { 177 | ...process.env, 178 | FORCE_COLOR: '' + color_1.colors.enabled,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.