← Home

@pact-foundation/pact

npm Repository Homepage

Pact for all things Javascript

7
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

mefellows-pactyou54fmfellowsmefellowstimothyjones

Keywords

pactpact-jsjavascriptcontract testingtestingconsumer driven testing

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): Occurs in a test spec file to snapshot/restore process.env in afterEach — standard test hygiene, not a secret leak. ai
dependencies unvetted-dep:http-proxy AI (dependencies): http-proxy is a core dependency for pact-js's verifier proxy functionality; stable and expected for this package. ai
semgrep semgrep:base64-decode AI (semgrep): Decodes HTTP request body content for message pact verification — legitimate protocol handling. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Raw IP is 127.0.0.1 (localhost) used as default proxy base URL — expected for a local proxy in contract testing. ai
typosquat typosquat.levenshtein:react AI (typosquat): Scoped package @pact-foundation/pact is not a typosquat of react; completely different domain and well-established org. ai
phantom-deps phantom-dep:router AI (phantom-deps): router is a declared runtime dependency in package.json; phantom-dep heuristic false positive. ai

Versions (showing 7 of 7)

Version Deps Published
16.4.0 15 / 31
16.3.1 15 / 41
16.1.0 15 / 41
16.0.4 15 / 41
16.0.3 15 / 41
16.0.1 14 / 40
16.0.0 14 / 40

v16.4.0

2 findings
HIGH env-spread: src/dsl/verifier/proxy/proxyRequest.spec.js:76 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/pact-foundation/pact-js/blob/f82fd701274fafa67b6fc25b7c895b6da7df3328/src/dsl/verifier/proxy/proxyRequest.spec.js#L76 74 | }); 75 | context('agent', () => { > 76 | const initialEnv = { ...process.env }; 77 | afterEach(() => { 78 | process.env = { ...initialEnv };

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v16.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v16.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v16.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v16.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v16.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.