← Home

@nxlv/python

npm Repository Homepage
17
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

lucas.vieira

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): All instances are in .spec.ts test files; spreading process.env for subprocess test fixtures is standard and not a runtime risk. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a known implicit TypeScript runtime dependency; declared in package.json dependencies. ai
semgrep semgrep:child-process-import AI (semgrep): NX executor package legitimately spawns child processes to run Python tooling; stable pattern across versions. ai

Versions (showing 17 of 17)

Version Deps Published
22.2.0 17 / 0
22.1.4 14 / 0
22.1.3 14 / 0
22.1.2 14 / 0
22.1.1 14 / 0
22.1.0 14 / 0
22.0.5 14 / 0
22.0.4 14 / 0
22.0.3 14 / 0
22.0.2 14 / 0
22.0.1 14 / 0
22.0.0 14 / 0
21.3.1 16 / 0
21.3.0 16 / 0
21.2.3 15 / 0
21.2.2 15 / 0
21.2.1 15 / 0

v22.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v22.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.3.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.2.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.2.2

16 findings
HIGH env-spread: src/executors/install/executor.spec.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | cwd: 'apps/app', 183 | shell: false, > 184 | env: { 185 | ...process.env, 186 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/install/executor.spec.ts:210 semgrep

Spreading entire process.env into an object — may capture all secrets 208 | shell: false, 209 | cwd: 'apps/app', > 210 | env: { 211 | ...process.env, 212 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/lock/executor.spec.ts:210 semgrep

Spreading entire process.env into an object — may capture all secrets 208 | cwd: 'apps/app', 209 | shell: false, > 210 | env: { 211 | ...process.env, 212 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/lock/executor.spec.ts:283 semgrep

Spreading entire process.env into an object — may capture all secrets 281 | shell: false, 282 | cwd: 'apps/app', > 283 | env: { 284 | ...process.env, 285 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/publish/executor.spec.ts:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | expect(childProcessMocks.spawn).toHaveBeenCalledWith('poetry publish', { 189 | cwd: 'tmp', > 190 | env: { ...process.env, FORCE_COLOR: 'true' }, 191 | shell: true, 192 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/publish/executor.spec.ts:239 semgrep

Spreading entire process.env into an object — may capture all secrets 237 | { 238 | cwd: 'tmp', > 239 | env: { ...process.env, FORCE_COLOR: 'true' }, 240 | shell: true, 241 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/publish/executor.spec.ts:289 semgrep

Spreading entire process.env into an object — may capture all secrets 287 | { 288 | cwd: 'tmp', > 289 | env: { ...process.env, FORCE_COLOR: 'true' }, 290 | shell: true, 291 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/publish/executor.spec.ts:342 semgrep

Spreading entire process.env into an object — may capture all secrets 340 | expect(childProcessMocks.spawn).toHaveBeenCalledWith('poetry publish', { 341 | cwd: 'tmp', > 342 | env: { ...process.env, FORCE_COLOR: 'true' }, 343 | shell: true, 344 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/publish/executor.spec.ts:394 semgrep

Spreading entire process.env into an object — may capture all secrets 392 | expect(childProcessMocks.spawn).toHaveBeenCalledWith('poetry publish', { 393 | cwd: 'tmp', > 394 | env: { ...process.env, FORCE_COLOR: 'true' }, 395 | shell: true, 396 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/sync/executor.spec.ts:196 semgrep

Spreading entire process.env into an object — may capture all secrets 194 | cwd: 'apps/app', 195 | shell: false, > 196 | env: { 197 | ...process.env, 198 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/sync/executor.spec.ts:240 semgrep

Spreading entire process.env into an object — may capture all secrets 238 | shell: false, 239 | cwd: 'apps/app', > 240 | env: { 241 | ...process.env, 242 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/utils/cmd.ts:18 semgrep

Spreading entire process.env into an object — may capture all secrets 16 | return new Promise((resolve, reject) => { 17 | console.log(`Running command: ${command}`); > 18 | const env: Record<string, string> = { 19 | ...process.env, 20 | ...(envVars ?? {}),

HIGH env-spread: src/provider/poetry/provider.ts:517 semgrep

Spreading entire process.env into an object — may capture all secrets 515 | 516 | if (options?.cacheDir) { > 517 | execOpts.env = { 518 | ...process.env, 519 | POETRY_CACHE_DIR: path.resolve(options.cacheDir),

HIGH env-spread: src/provider/poetry/provider.ts:595 semgrep

Spreading entire process.env into an object — may capture all secrets 593 | 594 | if (options.cacheDir) { > 595 | execOptions.env = { 596 | ...process.env, 597 | POETRY_CACHE_DIR: path.resolve(options.cacheDir),

HIGH env-spread: src/provider/poetry/provider.ts:668 semgrep

Spreading entire process.env into an object — may capture all secrets 666 | 667 | if (options?.cacheDir) { > 668 | execOptions.env = { 669 | ...process.env, 670 | POETRY_CACHE_DIR: path.resolve(options.cacheDir),

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.2.1

16 findings
HIGH env-spread: src/executors/install/executor.spec.ts:184 semgrep

Spreading entire process.env into an object — may capture all secrets 182 | cwd: 'apps/app', 183 | shell: false, > 184 | env: { 185 | ...process.env, 186 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/install/executor.spec.ts:210 semgrep

Spreading entire process.env into an object — may capture all secrets 208 | shell: false, 209 | cwd: 'apps/app', > 210 | env: { 211 | ...process.env, 212 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/lock/executor.spec.ts:210 semgrep

Spreading entire process.env into an object — may capture all secrets 208 | cwd: 'apps/app', 209 | shell: false, > 210 | env: { 211 | ...process.env, 212 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/lock/executor.spec.ts:283 semgrep

Spreading entire process.env into an object — may capture all secrets 281 | shell: false, 282 | cwd: 'apps/app', > 283 | env: { 284 | ...process.env, 285 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/publish/executor.spec.ts:190 semgrep

Spreading entire process.env into an object — may capture all secrets 188 | expect(childProcessMocks.spawn).toHaveBeenCalledWith('poetry publish', { 189 | cwd: 'tmp', > 190 | env: { ...process.env, FORCE_COLOR: 'true' }, 191 | shell: true, 192 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/publish/executor.spec.ts:239 semgrep

Spreading entire process.env into an object — may capture all secrets 237 | { 238 | cwd: 'tmp', > 239 | env: { ...process.env, FORCE_COLOR: 'true' }, 240 | shell: true, 241 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/publish/executor.spec.ts:289 semgrep

Spreading entire process.env into an object — may capture all secrets 287 | { 288 | cwd: 'tmp', > 289 | env: { ...process.env, FORCE_COLOR: 'true' }, 290 | shell: true, 291 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/publish/executor.spec.ts:342 semgrep

Spreading entire process.env into an object — may capture all secrets 340 | expect(childProcessMocks.spawn).toHaveBeenCalledWith('poetry publish', { 341 | cwd: 'tmp', > 342 | env: { ...process.env, FORCE_COLOR: 'true' }, 343 | shell: true, 344 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/publish/executor.spec.ts:394 semgrep

Spreading entire process.env into an object — may capture all secrets 392 | expect(childProcessMocks.spawn).toHaveBeenCalledWith('poetry publish', { 393 | cwd: 'tmp', > 394 | env: { ...process.env, FORCE_COLOR: 'true' }, 395 | shell: true, 396 | stdio: ['inherit', 'pipe', 'pipe'],

HIGH env-spread: src/executors/sync/executor.spec.ts:196 semgrep

Spreading entire process.env into an object — may capture all secrets 194 | cwd: 'apps/app', 195 | shell: false, > 196 | env: { 197 | ...process.env, 198 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/sync/executor.spec.ts:240 semgrep

Spreading entire process.env into an object — may capture all secrets 238 | shell: false, 239 | cwd: 'apps/app', > 240 | env: { 241 | ...process.env, 242 | POETRY_CACHE_DIR: path.resolve('apps/app/.cache/pypoetry'),

HIGH env-spread: src/executors/utils/cmd.ts:18 semgrep

Spreading entire process.env into an object — may capture all secrets 16 | return new Promise((resolve, reject) => { 17 | console.log(`Running command: ${command}`); > 18 | const env: Record<string, string> = { 19 | ...process.env, 20 | ...(envVars ?? {}),

HIGH env-spread: src/provider/poetry/provider.ts:517 semgrep

Spreading entire process.env into an object — may capture all secrets 515 | 516 | if (options?.cacheDir) { > 517 | execOpts.env = { 518 | ...process.env, 519 | POETRY_CACHE_DIR: path.resolve(options.cacheDir),

HIGH env-spread: src/provider/poetry/provider.ts:595 semgrep

Spreading entire process.env into an object — may capture all secrets 593 | 594 | if (options.cacheDir) { > 595 | execOptions.env = { 596 | ...process.env, 597 | POETRY_CACHE_DIR: path.resolve(options.cacheDir),

HIGH env-spread: src/provider/poetry/provider.ts:668 semgrep

Spreading entire process.env into an object — may capture all secrets 666 | 667 | if (options?.cacheDir) { > 668 | execOptions.env = { 669 | ...process.env, 670 | POETRY_CACHE_DIR: path.resolve(options.cacheDir),

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.