@playcraft/devkit
HTML5 Playable Ads 构建工具,支持多广告渠道打包
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): Build CLI tool; child_process is used to spawn webpack/npm build commands — expected and documented behavior. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads user-supplied builds.config.js at project root — standard config-loading pattern for build tools. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env-spread fires in build command construction context; passing env to child build processes is normal for a build orchestrator. | ai | |
| phantom-deps | phantom-dep:vue | AI (phantom-deps): Peer/build dependency referenced in webpack config templates, not directly imported by the tool. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): Webpack loader dependency referenced in config templates, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped build dependency; loaded by convention via babel-loader. | ai | |
| phantom-deps | phantom-dep:babel-loader | AI (phantom-deps): Webpack loader referenced in config templates, not directly imported. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): Webpack loader referenced in config templates, not directly imported. | ai | |
| phantom-deps | phantom-dep:esbuild-loader | AI (phantom-deps): Webpack loader referenced in config templates, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Babel preset loaded by convention via babel-loader config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@vue/compiler-sfc | AI (phantom-deps): Vue SFC compiler loaded by vue-loader convention, not directly imported. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.0.16 | 30 / 0 | |
| 1.0.14 | 30 / 0 | |
| 1.0.13 | 30 / 0 | |
| 1.0.12 | 30 / 0 | |
| 1.0.11 | 30 / 0 | |
| 1.0.10 | 30 / 0 | |
| 1.0.9 | 30 / 0 | |
| 1.0.8 | 30 / 0 | |
| 1.0.7 | 29 / 0 | |
| 1.0.6 | 26 / 0 | |
| 1.0.5 | 28 / 0 | |
| 1.0.4 | 25 / 0 | |
| 1.0.3 | 25 / 0 | |
| 1.0.2 | 25 / 0 |
v1.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.13
2 findingsSpreading entire process.env into an object — may capture all secrets 61 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 62 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 63 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 64 | PLAYABLE_BATCH_MODE:"1"// 标识批量构建模式,子进程跳过 runThemeValidation(主进程已处理) 65 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.12
2 findingsSpreading entire process.env into an object — may capture all secrets 61 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 62 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 63 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 64 | PLAYABLE_BATCH_MODE:"1"// 标识批量构建模式,子进程跳过 runThemeValidation(主进程已处理) 65 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.11
2 findingsSpreading entire process.env into an object — may capture all secrets 60 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 61 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 62 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 63 | PLAYABLE_BATCH_MODE:"1"// 标识批量构建模式,子进程跳过 runThemeValidation(主进程已处理) 64 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.10
2 findingsSpreading entire process.env into an object — may capture all secrets 60 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 61 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 62 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 63 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出 64 | maxBuffer:10*1024*1024// 10MB buffer
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.9
2 findingsSpreading entire process.env into an object — may capture all secrets 60 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 61 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 62 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 63 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出 64 | maxBuffer:10*1024*1024// 10MB buffer
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.8
2 findingsSpreading entire process.env into an object — may capture all secrets 60 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 61 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 62 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 63 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出 64 | maxBuffer:10*1024*1024// 10MB buffer
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.7
2 findingsSpreading entire process.env into an object — may capture all secrets 60 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 61 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 62 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 63 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出 64 | maxBuffer:10*1024*1024// 10MB buffer
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.6
2 findingsSpreading entire process.env into an object — may capture all secrets 60 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 61 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 62 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 63 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出 64 | maxBuffer:10*1024*1024// 10MB buffer
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.5
2 findingsSpreading entire process.env into an object — may capture all secrets 61 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 62 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 63 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 64 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出 65 | maxBuffer:10*1024*1024// 10MB buffer
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.4
2 findingsSpreading entire process.env into an object — may capture all secrets 61 | const buildArgs=[channel,`--out-dir "${tempDir}"`];// 如果配置中有商店链接,通过命令行参数传递 62 | if(config.googlePlayUrl){buildArgs.push(`--google-play-url "${config.googlePlayUrl}"`)}if(config.appStoreUrl){buildArgs. > 63 | if(isChannelFold2Zip){buildArgs.push("--is-channel-fold2zip")}await execAsync(`npm run build -- ${buildArgs.join(" ")}`, 64 | },// 不使用 stdio: 'inherit' 以支持并发,而是捕获输出 65 | maxBuffer:10*1024*1024// 10MB buffer
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.