@nx/key
Package to provide the ability to activate and read licenses for Nx Powerpack.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:axios-retry | AI (phantom-deps): axios-retry is a declared runtime dep used inside the obfuscated bundle; phantom-dep heuristic cannot see into obfuscated code. | ai | |
| phantom-deps | phantom-dep:ora | AI (phantom-deps): ora is a declared dependency used indirectly via bundled/obfuscated code; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:axios | AI (phantom-deps): axios is a declared dependency used indirectly via bundled/obfuscated code; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): chalk is a declared dependency used indirectly via bundled/obfuscated code; stable false positive for this package. | ai | |
| semgrep | semgrep:obfuscation-while-true | AI (semgrep): Commercial license-key enforcement module; intentional obfuscation of DRM logic is expected and stable across versions. | ai | |
| typosquat | typosquat.levenshtein:koa | AI (typosquat): @nx/key is a scoped package in the official Nx org; not a typosquat of koa. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Official Nx Powerpack package; README linking to nx.dev docs is expected, not a link farm. | ai | |
| typosquat | typosquat.levenshtein:knex | AI (typosquat): @nx/key is a scoped package in the official Nx org; not a typosquat of knex. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Native NAPI binary loader reads platform-specific binaries; fs/child_process use is expected. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): License activation library makes network calls to validate licenses; expected behavior. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in version.js is a standard pattern for NAPI platform-specific binary loading. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 5.0.7 | 6 / 0 | |
| 5.0.6 | 6 / 0 | |
| 5.0.5 | 6 / 0 | |
| 5.0.4 | 6 / 0 | |
| 5.0.3 | 6 / 0 |
v5.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.