@salesforce/plugin-info

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ire-npm-team-userjimjagsalesforce-releasesjasonschroeder-sfdcmobifylwc-adminsalesforce-admin

Keywords

forcesalesforcesalesforcedxsf-pluginsfsfdx-pluginsfdx

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): Salesforce consolidates CLI plugin maintenance under salesforce-admin service account; this is a known org-wide pattern, not a takeover signal.	ai	2026/04/27
maintainer-change	maintainer-removed	AI (maintainer-change): Mass removal of individual maintainers in favor of a service account is consistent with Salesforce's documented CLI maintenance consolidation strategy.	ai	2026/04/27
provenance	no-provenance	AI (provenance): Salesforce uses their own signing infrastructure (sfdx.publicKeyUrl/signatureUrl in package.json) as an alternative to Sigstore provenance.	ai	2026/04/27
semgrep	semgrep:env-spread	AI (semgrep): The doctor command legitimately spreads process.env into spawn() to pass environment to child processes while overriding specific vars. This is standard CLI tooling behavior, not a security risk for this package.	ai	2026/04/26

Versions (showing 51 of 80)

View all versions

Version	Deps	Published
3.4.139	12 / 15	2026-05-31
3.4.138	12 / 15	2026-05-31
3.4.137	12 / 15	2026-05-31
3.4.136	12 / 15	2026-05-24
3.4.135	12 / 15	2026-05-24
3.4.134	12 / 15	2026-05-24
3.4.133	12 / 15	2026-05-17
3.4.132	12 / 15	2026-05-17
3.4.131	12 / 15	2026-05-10
3.4.130	12 / 15	2026-05-10
3.4.129	12 / 15	2026-05-10
3.4.128	12 / 15	2026-05-09
3.4.127	12 / 15	2026-05-09
3.4.126	12 / 15	2026-05-08
3.4.125	12 / 15	2026-05-03
3.4.124	12 / 15	2026-04-26
3.4.123	12 / 15	2026-04-19
3.4.122	12 / 15	2026-04-17
3.4.121	12 / 15	2026-04-11
3.4.120	12 / 15	2026-04-09
3.4.118	12 / 15	2026-04-05
3.4.117	12 / 15	2026-04-05
3.4.116	12 / 15	2026-04-05
3.4.115	12 / 15	2026-03-27
3.4.114	12 / 15	2026-03-22
3.4.113	12 / 15	2026-03-22
3.4.112	12 / 15	2026-03-20
3.4.111	12 / 15	2026-03-15
3.4.110	12 / 15	2026-03-15
3.4.109	12 / 15	2026-03-08
3.4.108	12 / 15	2026-03-08
3.4.107	12 / 15	2026-03-01
3.4.106	12 / 15	2026-02-26
3.4.105	12 / 15	2026-02-22
3.4.104	12 / 15	2026-02-15
3.4.103	12 / 15	2026-02-11
3.4.102	12 / 15	2026-02-11
3.4.101	12 / 15	2026-02-11
3.4.100	12 / 15	2025-12-07
3.4.99	12 / 15	2025-12-07
3.4.98	12 / 15	2025-12-05
3.4.96	12 / 15	2025-11-02
3.4.95	12 / 15	2025-10-26
3.4.94	12 / 15	2025-10-26
3.4.93	12 / 15	2025-10-19
3.4.89	12 / 15	2025-10-05
3.4.88	12 / 15	2025-09-21
3.4.87	12 / 15	2025-09-14
3.4.86	12 / 15	2025-09-14
3.4.85	12 / 15	2025-09-07
3.4.84	12 / 15	2025-08-31

v3.4.139

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.138

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.137

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.136

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.135

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.134

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.133

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.132

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.131

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.130

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.129

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.128

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.127

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.126

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.125

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.124

2 findings

HIGH env-spread: lib/commands/doctor.js:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const cp = spawn(cmdString, [], { 206 | shell: true, > 207 | env: Object.assign({}, { 208 | ...process.env, 209 | SF_LOG_COLORIZE: 'false',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.4.123

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.122

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.121

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.120

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.118

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.117

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.116

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.115

2 findings

HIGH env-spread: lib/commands/doctor.js:207 semgrep

Spreading entire process.env into an object — may capture all secrets 205 | const cp = spawn(cmdString, [], { 206 | shell: true, > 207 | env: Object.assign({}, { 208 | ...process.env, 209 | SF_LOG_COLORIZE: 'false',

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.4.112

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.95

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.94

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.93

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.89

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.88

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.87

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.86

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.85

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.84

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.