@nx/powerpack-conformance
A Nx Powerpack plugin which allows users to write and apply rules for your entire workspace that help with consistency, maintainability, reliability and security.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Established @nx org package published via GitHub Actions; pipeline change is plausible and no other risk signals present. | ai | |
| license | uncommon-license:Commercial | AI (license): Commercial license is expected and documented for Nx Powerpack products; stable across versions. | ai | |
| semgrep | semgrep:obfuscation-while-true | AI (semgrep): Nx Powerpack intentionally ships obfuscated commercial binaries; this pattern is stable across all versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is a byproduct of the obfuscated commercial bundle; not an independent risk for this package. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 5.0.7 | 1 / 0 | |
| 5.0.6 | 1 / 0 | |
| 5.0.5 | 1 / 0 | |
| 5.0.4 | 1 / 0 | |
| 5.0.3 | 1 / 0 | |
| 5.0.2 | 1 / 0 | |
| 5.0.1 | 1 / 0 | |
| 5.0.0 | 1 / 0 |
v5.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.2
11 findingswhile(!![]) loop is a signature of javascript-obfuscator output 1 | #!/usr/bin/env node > 2 | 'use strict';function a0_0xe061(){var _0x4c970f=['153RClEyT','48642KaisSa','33952GtYgOj','1972610UMbAqn','462816IOlkjl',
while(!![]) loop is a signature of javascript-obfuscator output 1 | #!/usr/bin/env node > 2 | 'use strict';function a1_0x4e4f(_0x2030ed,_0x150fa1){var _0x219beb=a1_0x219b();return a1_0x4e4f=function(_0x4e4f81,_0x14
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a2_0x4f10(){var _0x5d886c=['114960clpESn','2572130JeHzJI','exports','9035550iJQdif','3636708oeLBvX
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a3_0x1ce2aa=a3_0x4277;function a3_0x4277(_0x2a0751,_0x91f275){var _0x488394=a3_0x4883();return a3_0x427
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a4_0x188a(){var _0x3c9f5f=['@nx/conformance','444388uOwhqJ','148592zbgoSi','1477RAzhpa','341820gxz
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a5_0x850c(){var _0x19826d=['2316meDFYe','33hkrwfh','16039392zKcPjP','100155vyCzWr','52AzBSJq','445
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';(function(_0xeaeebc,_0x2ad147){var _0x31e7a3=a8_0x50dc,_0x50a0da=_0xeaeebc();while(!![]){try{var _0x5b846c=
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a6_0x14ceba=a6_0x5291;function a6_0x5291(_0x322145,_0x174afe){var _0x24b3bf=a6_0x24b3();return a6_0x529
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a7_0x3e5d(){var _0x3bf179=['6151962SUCSES','3767288RWBWXo','782862XQNCPw','1727320dCQEqN','936600X
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a9_0x3742(_0x5e4a47,_0x53d129){const _0x2d14cf=a9_0x2d14();return a9_0x3742=function(_0x3742ef,_0x
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.1
11 findingswhile(!![]) loop is a signature of javascript-obfuscator output 1 | #!/usr/bin/env node > 2 | 'use strict';(function(_0x4de06a,_0x324167){var _0x97235f=a0_0x5af9,_0xf1f9bc=_0x4de06a();while(!![]){try{var _0x4b1da2=
while(!![]) loop is a signature of javascript-obfuscator output 1 | #!/usr/bin/env node > 2 | 'use strict';var a1_0x574f4c=a1_0x292f;function a1_0x3a1a(){var _0x32a65c=['288rqQFtr','2961579GZNOwd','4cGGybG','277265
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a2_0x4fe5ce=a2_0x35bb;(function(_0x8d5d7d,_0x11bd35){var _0x1c5402=a2_0x35bb,_0x249374=_0x8d5d7d();whil
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a3_0x1a8f(){var _0x1b384b=['260YygPUa','11068PiglIg','@nx/conformance/src/generators/create-rule/c
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a4_0x3a986f=a4_0xb70a;function a4_0xb70a(_0xa33232,_0x41a73d){var _0x5d0b32=a4_0x5d0b();return a4_0xb70
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a5_0x21e167=a5_0x3541;function a5_0x3541(_0x1b026c,_0xe824bb){var _0x131600=a5_0x1316();return a5_0x354
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a8_0x4e648f=a8_0x33af;function a8_0x33af(_0xa27252,_0x4c6dca){var _0x47cada=a8_0x47ca();return a8_0x33a
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a6_0x56da(){var _0x165f21=['260478dodppk','@nx/conformance/enforce-project-boundaries','2714960PZP
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a7_0x2e17(){var _0x2fe451=['@nx/conformance/ensure-owners','exports','6hyAdZE','2761020pfcDAH','7Y
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';const a9_0x26d915=a9_0x1006;(function(_0x2fdef1,_0x2983fa){const _0x569bd4=a9_0x1006,_0xb9dba2=_0x2fdef1();
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
11 findingswhile(!![]) loop is a signature of javascript-obfuscator output 1 | #!/usr/bin/env node > 2 | 'use strict';var a0_0x55cde2=a0_0x51f6;(function(_0x129f9c,_0x223a2c){var _0x420161=a0_0x51f6,_0x1069fa=_0x129f9c();whil
while(!![]) loop is a signature of javascript-obfuscator output 1 | #!/usr/bin/env node > 2 | 'use strict';function a1_0x5384(_0x43ca25,_0x4477b4){var _0x40212c=a1_0x4021();return a1_0x5384=function(_0x53843c,_0x2e
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a2_0x4cc28b=a2_0x3713;function a2_0x3713(_0x35d0c5,_0x2fb331){var _0x17fab0=a2_0x17fa();return a2_0x371
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a3_0x443c(_0x1e4c94,_0x2c9b88){var _0xedff45=a3_0xedff();return a3_0x443c=function(_0x443cb9,_0x5c
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';(function(_0x3918e7,_0x1ef745){var _0x75a1f2=a4_0x16ed,_0x4cb096=_0x3918e7();while(!![]){try{var _0x412488=
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a5_0x2514ab=a5_0x200f;function a5_0x200f(_0x4c6298,_0x3a7600){var _0x22a7eb=a5_0x22a7();return a5_0x200
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';function a8_0x50e9(_0x45bf7e,_0x10bb8e){var _0x57562a=a8_0x5756();return a8_0x50e9=function(_0x50e9cd,_0x55
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a6_0x41f332=a6_0x16f0;(function(_0xbdf9d9,_0x513189){var _0x2698d5=a6_0x16f0,_0x339cce=_0xbdf9d9();whil
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';var a7_0x1e475f=a7_0x1a25;function a7_0x1c10(){var _0x50d8bf=['5721ODlupc','15153860bjpmTT','254LoSZPQ','42
while(!![]) loop is a signature of javascript-obfuscator output > 1 | 'use strict';const a9_0x3f4de5=a9_0x586a;function a9_0x586a(_0x25d396,_0x5145f4){const _0x45716e=a9_0x4571();return a9_0
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.