← Home

@nx/enterprise-cloud

npm Homepage

A Nx plugin which is specific to Nx Enterprise Cloud workspaces.

8
Versions
Commercial
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

nrwlownernrwl-jasonjack-nrwlmaxklessjameshenry

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): Nx enterprise packages published via GitHub Actions; missing gitHead is a CI config change, not a supply-chain indicator for this package. ai
semgrep semgrep:obfuscation-while-true AI (semgrep): Commercial Nx enterprise plugin intentionally obfuscates proprietary code; stable pattern across all versions. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require inside obfuscated commercial plugin; consistent with plugin loader patterns, no exfiltration indicators. ai
provenance no-provenance AI (provenance): Official Nx org package published via GitHub Actions CI; provenance absence is consistent across all versions. ai
license uncommon-license:Commercial AI (license): Nx Enterprise Cloud is a commercial product; Commercial license is expected and stable for this package. ai

Versions (showing 8 of 8)

Version Deps Published
5.0.7 3 / 0
5.0.6 3 / 0
5.0.5 3 / 0
5.0.4 3 / 0
5.0.3 3 / 0
5.0.2 3 / 0
5.0.1 3 / 0
5.0.0 3 / 0

v5.0.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.6

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.5

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.2

4 findings
HIGH obfuscation-while-true: src/generators/init/init.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a0_0x3e26(_0x1745c6,_0x4a186a){const _0x568c25=a0_0x568c();return a0_0x3e26=function(_0x3e26dd,_0x

HIGH obfuscation-while-true: src/index.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a1_0x31b6(_0x3f83e4,_0x1ceca9){var _0x2ce79a=a1_0x2ce7();return a1_0x31b6=function(_0x31b634,_0x47

HIGH obfuscation-while-true: src/plugin/plugin.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';const a2_0x492b81=a2_0x7972;(function(_0x3b66e1,_0x279efd){const _0x43ff04=a2_0x7972,_0xa93320=_0x3b66e1();

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.1

4 findings
HIGH obfuscation-while-true: src/generators/init/init.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a0_0x2a3e(){const _0x2a852a=['253166dDwSmo','nx.json','plugins','1ihYTrK','1513369fInZTw','719750J

HIGH obfuscation-while-true: src/index.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a1_0x1bd96b=a1_0x55ef;(function(_0x422da9,_0x28312c){var _0x41d84d=a1_0x55ef,_0x5014b9=_0x422da9();whil

HIGH obfuscation-while-true: src/plugin/plugin.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';const a2_0x31c58e=a2_0x4963;(function(_0x4135eb,_0x47e522){const _0x31b3e0=a2_0x4963,_0x41a04e=_0x4135eb();

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.0

4 findings
HIGH obfuscation-while-true: src/generators/init/init.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a0_0xe1a7(_0x35404b,_0x39096a){const _0x477694=a0_0x4776();return a0_0xe1a7=function(_0xe1a781,_0x

HIGH obfuscation-while-true: src/index.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a1_0x327aaf=a1_0x32ac;function a1_0x32ac(_0x20ebd8,_0x13306c){var _0x161d97=a1_0x161d();return a1_0x32a

HIGH obfuscation-while-true: src/plugin/plugin.js:1 semgrep

while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';const a2_0x23b0fe=a2_0x38cf;(function(_0x4c0bef,_0x266457){const _0x36ea6d=a2_0x38cf,_0x1d3661=_0x4c0bef();

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.