@prisma/client
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:eval-usage | AI (semgrep): eval-usage fires in minified engine-path error-message code; not dynamic eval of user input. Stable false positive for this bundled ORM package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Minified runtime reads env for DB connection config; standard ORM behavior, not secret exfiltration. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Postinstall spawns prisma generate; documented install flow for @prisma/client. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get in WASM engine bindings generated by wasm-bindgen; not obfuscation. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Prisma publishes across multiple major version branches; gaps on one branch while others are active is normal. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Prisma's documented postinstall runs code generation via `node scripts/postinstall.js`; stable for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Prisma ships bundled runtime and WASM query engine files; large file counts are inherent to the package architecture. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding converts WASM binaries (stored as base64 JS files) back to .wasm during code generation — standard WASM distribution pattern for npm packages. | ai | |
| dependencies | unvetted-dep:@prisma/client-runtime-utils | AI (dependencies): First-party Prisma monorepo package at matching version (7.8.0); not a third-party unvetted dependency. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): False positive on minified runtime code; sample shows stack trace parsing regexes, not hex payload decoding. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Prisma's generator legitimately uses child_process to invoke native engine binaries during schema generation. Expected behavior for a database ORM with native binary components. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in generator-build loads WASM bundles from controlled, known paths as part of Prisma's documented WASM query compiler build pipeline. Not arbitrary module loading. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 7.8.0 | 1 / 100 | |
| 7.7.0 | 1 / 100 | |
| 7.6.0 | 1 / 100 | |
| 7.4.2 | 1 / 100 | |
| 7.2.0 | 1 / 98 | |
| 6.19.3 | 0 / 98 | |
| 6.19.2 | 0 / 98 | |
| 6.19.1 | 0 / 98 | |
| 6.19.0 | 0 / 98 | |
| 5.17.0 | 0 / 95 |
v7.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.4.2
41 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.19.3
4 findingsScript: node scripts/postinstall.js
Spreading entire process.env into an object — may capture all secrets 112 | You may have to run ${qe("prisma generate")} for your changes to take effect.`,this.config.clientVersion);return r}}pars 113 | ${a.backtrace}`,{clientVersion:this.config.clientVersion})}}async requestBatch(r,{transaction:t,traceparent:n}){Re("requ > 114 | `);o.push({_tag:"error",value:I})},l=!!e?.startsWith("prisma://"),u=an(e),c=!!r,p=l||u;!c&&t&&p&&n!=="client"&&n!=="wasm 115 | Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injec 116 |
Spreading entire process.env into an object — may capture all secrets 119 | You may have to run ${$e("prisma generate")} for your changes to take effect.`,this.config.clientVersion);return r}}pars 120 | ${a.backtrace}`,{clientVersion:this.config.clientVersion})}}async requestBatch(r,{transaction:t,traceparent:n}){Re("requ > 121 | `);o.push({_tag:"error",value:I})},l=!!e?.startsWith("prisma://"),u=en(e),c=!!r,p=l||u;!c&&t&&p&&n!=="client"&&n!=="wasm 122 | Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injec 123 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.19.2
45 findingsScript: node scripts/postinstall.js
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Spreading entire process.env into an object — may capture all secrets 72 | ${n.backtrace}`,{clientVersion:this.config.clientVersion})}catch{return t}}#p(t){return t instanceof re?t:typeof t.messa 73 | ${t}`,R(r,!0))}};P(Wr,"RequestError");async function at(e,t,r=n=>n){let{clientVersion:n,...i}=t,o=r(fetch);try{return aw > 74 | `);o.push({_tag:"error",value:I})},l=!!e?.startsWith("prisma://"),c=nn(e),u=!!t,p=l||c;!u&&r&&p&&n!=="client"&&n!=="wasm 75 | Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injec 76 |
Spreading entire process.env into an object — may capture all secrets 79 | ${n.backtrace}`,{clientVersion:this.config.clientVersion})}catch{return t}}#p(t){return t instanceof oe?t:typeof t.messa 80 | ${t}`,R(r,!0))}};P(Hr,"RequestError");async function at(e,t,r=n=>n){let{clientVersion:n,...i}=t,o=r(fetch);try{return aw > 81 | `);o.push({_tag:"error",value:I})},l=!!e?.startsWith("prisma://"),c=Xr(e),u=!!t,p=l||c;!u&&r&&p&&n!=="client"&&n!=="wasm 82 | Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injec 83 |
Spreading entire process.env into an object — may capture all secrets 112 | You may have to run ${qe("prisma generate")} for your changes to take effect.`,this.config.clientVersion);return r}}pars 113 | ${a.backtrace}`,{clientVersion:this.config.clientVersion})}}async requestBatch(r,{transaction:t,traceparent:n}){Re("requ > 114 | `);o.push({_tag:"error",value:I})},l=!!e?.startsWith("prisma://"),u=an(e),c=!!r,p=l||u;!c&&t&&p&&n!=="client"&&n!=="wasm 115 | Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injec 116 |
Spreading entire process.env into an object — may capture all secrets 119 | You may have to run ${$e("prisma generate")} for your changes to take effect.`,this.config.clientVersion);return r}}pars 120 | ${a.backtrace}`,{clientVersion:this.config.clientVersion})}}async requestBatch(r,{transaction:t,traceparent:n}){Re("requ > 121 | `);o.push({_tag:"error",value:I})},l=!!e?.startsWith("prisma://"),u=en(e),c=!!r,p=l||u;!c&&t&&p&&n!=="client"&&n!=="wasm 122 | Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injec 123 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.19.1
3 findingsScript: node scripts/postinstall.js
Spreading entire process.env into an object — may capture all secrets 119 | You may have to run ${$e("prisma generate")} for your changes to take effect.`,this.config.clientVersion);return r}}pars 120 | ${a.backtrace}`,{clientVersion:this.config.clientVersion})}}async requestBatch(r,{transaction:t,traceparent:n}){Re("requ > 121 | `);o.push({_tag:"error",value:I})},l=!!e?.startsWith("prisma://"),u=en(e),c=!!r,p=l||u;!c&&t&&p&&n!=="client"&&n!=="wasm 122 | Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injec 123 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.19.0
2 findingsScript: node scripts/postinstall.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.