@smoothbricks/nx-plugin
Local Nx plugin for workspace-standard package setup and missing inferred targets.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Nx executor merging process.env for child process execution is expected and documented behavior for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit TypeScript runtime dependency; stable false positive for this package. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 0.2.5 | 3 / 0 | |
| 0.2.4 | 3 / 0 | |
| 0.2.3 | 3 / 0 | |
| 0.2.2 | 3 / 0 | |
| 0.2.1 | 3 / 0 | |
| 0.2.0 | 3 / 0 | |
| 0.1.0 | 2 / 1 |
v0.2.5
2 findingsSpreading entire process.env into an object — may capture all secrets 206 | 207 | function mergeEnv(env: Record<string, string> | undefined): NodeJS.ProcessEnv { > 208 | return env ? { ...process.env, ...env } : process.env; 209 | } 210 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.4
2 findingsSpreading entire process.env into an object — may capture all secrets 206 | 207 | function mergeEnv(env: Record<string, string> | undefined): NodeJS.ProcessEnv { > 208 | return env ? { ...process.env, ...env } : process.env; 209 | } 210 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.3
2 findingsSpreading entire process.env into an object — may capture all secrets 206 | 207 | function mergeEnv(env: Record<string, string> | undefined): NodeJS.ProcessEnv { > 208 | return env ? { ...process.env, ...env } : process.env; 209 | } 210 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.2
2 findingsSpreading entire process.env into an object — may capture all secrets 206 | 207 | function mergeEnv(env: Record<string, string> | undefined): NodeJS.ProcessEnv { > 208 | return env ? { ...process.env, ...env } : process.env; 209 | } 210 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.1
2 findingsSpreading entire process.env into an object — may capture all secrets 206 | 207 | function mergeEnv(env: Record<string, string> | undefined): NodeJS.ProcessEnv { > 208 | return env ? { ...process.env, ...env } : process.env; 209 | } 210 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.0
2 findingsSpreading entire process.env into an object — may capture all secrets 206 | 207 | function mergeEnv(env: Record<string, string> | undefined): NodeJS.ProcessEnv { > 208 | return env ? { ...process.env, ...env } : process.env; 209 | } 210 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.