@nx/web No license 50 versions

@nx/web

npm Repository Homepage

50

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

nrwlownernrwl-jasonjack-nrwlmaxklessjameshenry

Keywords

MonorepoWebJestCypressCLIFront-end

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): File-server executor passes env to child http-server process; standard pattern for dev tooling.	ai	2026/05/23
semgrep	semgrep:child-process-import	AI (semgrep): Executor spawns http-server via child_process; expected for Nx executor.	ai	2026/05/23
phantom-deps	phantom-dep:http-server	AI (phantom-deps): http-server is declared as a dependency and invoked via child_process, not imported directly.	ai	2026/05/23

Versions (showing 50 of 50)

Version	Deps	Published
22.7.5	6 / 2	2026-05-27
22.7.4	6 / 2	2026-05-25
22.7.3	6 / 2	2026-05-22
22.7.2	6 / 2	2026-05-14
22.7.1	6 / 2	2026-04-28
22.7.0	6 / 2	2026-04-24
22.6.5	6 / 2	2026-04-10
22.6.4	6 / 2	2026-04-01
22.6.3	6 / 2	2026-03-27
22.6.2	6 / 2	2026-03-26
22.6.1	6 / 2	2026-03-20
22.6.0	6 / 2	2026-03-18
22.5.4	6 / 2	2026-03-04
22.5.3	6 / 2	2026-02-26
22.5.2	6 / 2	2026-02-20
22.5.1	6 / 2	2026-02-13
22.5.0	6 / 2	2026-02-09
22.4.5	6 / 2	2026-02-03
22.4.4	6 / 2	2026-01-30
22.4.3	6 / 2	2026-01-29
22.4.2	6 / 2	2026-01-26
22.4.1	6 / 2	2026-01-22
22.4.0	6 / 2	2026-01-21
22.3.3	6 / 2	2025-12-19
22.3.2	6 / 2	2025-12-19
22.3.1	6 / 2	2025-12-18
22.3.0	6 / 2	2025-12-17
22.2.7	6 / 2	2025-12-16
22.2.6	6 / 2	2025-12-16
22.2.5	6 / 2	2025-12-16
22.2.4	6 / 2	2025-12-15
22.2.3	6 / 2	2025-12-12
22.2.2	6 / 2	2025-12-12
22.2.1	6 / 2	2025-12-11
22.2.0	6 / 2	2025-12-08
22.1.3	6 / 2	2025-11-27
22.1.2	6 / 2	2025-11-26
22.1.1	6 / 2	2025-11-22
22.1.0	6 / 2	2025-11-19
22.0.4	6 / 1	2025-11-17
22.0.3	6 / 1	2025-11-10
22.0.2	6 / 1	2025-10-28
22.0.1	6 / 1	2025-10-22
22.0.0	6 / 1	2025-10-22
21.6.11	6 / 1	2026-04-17
21.6.10	6 / 1	2025-11-27
21.6.9	6 / 1	2025-11-18
21.3.12	6 / 0	2026-02-11
20.8.4	6 / 0	2026-01-12
20.8.3	6 / 0	2025-11-21

v22.7.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.7.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.7.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:194 semgrep

Spreading entire process.env into an object — may capture all secrets 192 | stdio: 'pipe', 193 | cwd: context.root, > 194 | env: { 195 | FORCE_COLOR: 'true', 196 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.7.2

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:194 semgrep

Spreading entire process.env into an object — may capture all secrets 192 | stdio: 'pipe', 193 | cwd: context.root, > 194 | env: { 195 | FORCE_COLOR: 'true', 196 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.7.0

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:191 semgrep

Spreading entire process.env into an object — may capture all secrets 189 | stdio: 'pipe', 190 | cwd: context.root, > 191 | env: { 192 | FORCE_COLOR: 'true', 193 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.5

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.4

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.2

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.1

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.6.0

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.4

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.2

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.1

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.5.0

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.5

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.4

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.2

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.1

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.4.0

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | stdio: 'pipe', 189 | cwd: context.root, > 190 | env: { 191 | FORCE_COLOR: 'true', 192 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.3.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.3.2

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.3.1

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.3.0

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.7

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.6

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.5

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.4

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.2

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.1

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.2.0

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.2

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.1

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.0

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.4

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.2

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.1

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:181 semgrep

Spreading entire process.env into an object — may capture all secrets 179 | stdio: 'pipe', 180 | cwd: context.root, > 181 | env: { 182 | FORCE_COLOR: 'true', 183 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.0

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:181 semgrep

Spreading entire process.env into an object — may capture all secrets 179 | stdio: 'pipe', 180 | cwd: context.root, > 181 | env: { 182 | FORCE_COLOR: 'true', 183 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.6.11

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.6.10

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.6.9

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:182 semgrep

Spreading entire process.env into an object — may capture all secrets 180 | stdio: 'pipe', 181 | cwd: context.root, > 182 | env: { 183 | FORCE_COLOR: 'true', 184 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.3.12

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:181 semgrep

Spreading entire process.env into an object — may capture all secrets 179 | stdio: 'pipe', 180 | cwd: context.root, > 181 | env: { 182 | FORCE_COLOR: 'true', 183 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.8.4

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:181 semgrep

Spreading entire process.env into an object — may capture all secrets 179 | stdio: 'pipe', 180 | cwd: context.root, > 181 | env: { 182 | FORCE_COLOR: 'true', 183 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.8.3

2 findings

HIGH env-spread: src/executors/file-server/file-server.impl.js:181 semgrep

Spreading entire process.env into an object — may capture all secrets 179 | stdio: 'pipe', 180 | cwd: context.root, > 181 | env: { 182 | FORCE_COLOR: 'true', 183 | ...process.env,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.