← Home

@rocket.chat/apps-engine

npm Repository Homepage

The engine code for the Rocket.Chat Apps which manages, runs, translates, coordinates and all of that.

28
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rodrigoksing.ligeekgonecrazydiegosampaiogazzodguberttassoevanrocketchat-buildmasterdougfabris

Keywords

rocket.chatteam chatapps engine

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): process.env spread into child_process.execSync for Deno cache script; expected build-time tooling pattern. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() is the documented mechanism for sandboxing app code in the Deno runtime. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() used in a Proxy for API wrapping; standard pattern in this engine. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in build script (deno-cache.js) and to spawn the Deno subprocess; expected for this package. ai
semgrep semgrep:dynamic-require AI (semgrep): require() is guarded by ALLOWED_NATIVE_MODULES allowlist; intentional sandbox design. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decode used in license/crypto verification with publicDecrypt; legitimate cryptographic use. ai
provenance no-provenance AI (provenance): Established Rocket.Chat org package; lack of Sigstore provenance is not a risk signal here. ai
semgrep semgrep:child-process-spawn AI (semgrep): Spawns the Deno runtime subprocess; core functionality of AppsEngineDenoRuntime. ai

Versions (showing 28 of 28)

Version Deps Published
1.62.0 10 / 17
1.61.1 10 / 20
1.61.0 10 / 20
1.60.1 10 / 23
1.60.0 10 / 23
1.59.2 10 / 23
1.59.1 10 / 23
1.59.0 10 / 23
1.58.1 10 / 23
1.58.0 10 / 23
1.57.3 10 / 23
1.57.2 10 / 23
1.57.1 10 / 23
1.57.0 10 / 23
1.56.2 10 / 23
1.56.1 10 / 23
1.56.0 10 / 23
1.55.3 10 / 23
1.55.2 10 / 23
1.55.1 10 / 23
1.55.0 10 / 23
1.54.0 10 / 23
1.53.1 10 / 24
1.53.0 10 / 24
1.52.1 10 / 24
1.52.0 10 / 24
1.51.1 10 / 24
1.51.0 11 / 24

v1.62.0

2 findings
HIGH env-spread: scripts/deno-cache.js:84 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/RocketChat/Rocket.Chat.Apps-engine/blob/bb8c7be629b7cbffc7387285c5cb98e5835ad85f/scripts/deno-cache.js#L84 82 | childProcess.execSync(commandLine, { 83 | cwd: denoRuntimePath, > 84 | env: { 85 | ...process.env, 86 | DENO_DIR,

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.61.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.61.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.60.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.60.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.59.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.59.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.59.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.58.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.58.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.57.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.57.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.57.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.57.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.56.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.56.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.56.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.55.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.55.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.55.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.55.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.54.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.53.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.53.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.52.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.52.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.51.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.51.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.