@sesori/bridge SEE LICENSE IN LICENSE 9 versions

@sesori/bridge

npm Repository Homepage

Bootstrap launcher for the managed Sesori Bridge runtime

9

Versions

SEE LICENSE IN LICENSE

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

alexjeefo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:silent-process-exec	AI (semgrep): Spawns process.execPath with a sibling heartbeat script — legitimate lock-file keepalive, not malicious background process.	ai	2026/04/29
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same heartbeat spawn pattern; stable false positive for this package.	ai	2026/04/29
semgrep	semgrep:child-process-spawn	AI (semgrep): Used only for lock heartbeat subprocess; benign for this bootstrap launcher package.	ai	2026/04/29
semgrep	semgrep:child-process-import	AI (semgrep): child_process imported solely for the heartbeat lock mechanism; expected in a runtime bootstrap package.	ai	2026/04/29

Versions (showing 9 of 9)

Version	Deps	Published
1.0.7	0 / 0	2026-05-20
0.7.0	0 / 0	2026-05-17
0.6.1	0 / 0	2026-04-29
0.6.0	0 / 0	2026-04-29
0.5.0	0 / 0	2026-04-27
0.4.1	0 / 0	2026-04-22
0.4.0	0 / 0	2026-04-22
0.3.1	0 / 0	2026-04-15
0.1.0	0 / 0	2026-03-13

v1.0.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.