@s-hirano-ist/s-database
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Fires in generated Prisma client runtime; standard Prisma pattern for env config, not malicious. | ai | |
| source-diff | obfuscated-file:src/generated/query_compiler_fast_bg.js | AI (source-diff): wasm-bindgen JS glue; minified by design, not obfuscated malware. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:src/generated/query_compiler_fast_bg.wasm-base64.js | AI (source-diff): Base64-encoded WASM binary (AGFzbQ header confirms); standard wasm-bindgen distribution pattern. | ai | |
| phantom-deps | phantom-dep:@prisma/extension-accelerate | AI (phantom-deps): Declared as a runtime dependency in package.json; phantom-dep heuristic misfires for Prisma extension packages. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Runs prisma:generate — standard Prisma client codegen step, stable for this package. | ai | |
| phantom-deps | phantom-dep:@prisma/client | AI (phantom-deps): Same as above — config-level reference in a Prisma wrapper is expected, not a phantom dep concern. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is Prisma's WASM binary loading pattern in generated client code, not malicious. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decode fires in minified Prisma runtime client.js; standard bundled code pattern. | ai | |
| phantom-deps | phantom-dep:prisma | AI (phantom-deps): Prisma is referenced in config/scripts, not imported directly; expected for a Prisma wrapper package. | ai |
Versions (showing 14 of 14)
| Version | Deps | Published |
|---|---|---|
| 1.19.0 | 4 / 3 | |
| 1.18.5 | 4 / 3 | |
| 1.9.0 | 3 / 2 | |
| 1.8.2 | 3 / 2 | |
| 1.8.1 | 3 / 2 | |
| 1.6.0 | 3 / 2 | |
| 1.3.1 | 2 / 3 | |
| 1.3.0 | 2 / 3 | |
| 1.1.6 | 2 / 3 | |
| 1.1.4 | 2 / 2 | |
| 1.1.2 | 2 / 2 | |
| 1.1.1 | 2 / 2 | |
| 1.1.0 | 2 / 2 | |
| 1.0.0 | 2 / 2 |
v1.19.0
2 findingsScript: pnpm prisma:generate
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.18.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
2 findingsSpreading entire process.env into an object — may capture all secrets 116 | You may have to run ${qe("prisma generate")} for your changes to take effect.`,this.config.clientVersion);return r}}pars 117 | ${a.backtrace}`,{clientVersion:this.config.clientVersion})}}async requestBatch(r,{transaction:t,traceparent:n}){Re("requ > 118 | `);o.push({_tag:"error",value:I})},l=!!e?.startsWith("prisma://"),u=an(e),c=!!r,p=l||u;!c&&t&&p&&n!=="client"&&n!=="wasm 119 | Using the example below you can still execute your query with Prisma, but please note that it is vulnerable to SQL injec 120 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.