@snazzah/davey — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

snazzah

discorde2eemlsnapi-rsNAPIN-APIRustnode-addonnode-addon-api

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:child-process-import	AI (semgrep): NAPI-RS loader uses child_process only to detect musl vs glibc via hardcoded 'ldd --version' command; standard pattern for native binding platform detection.	ai	2026/04/25
semgrep	semgrep:child-process-execsync	AI (semgrep): execSync('ldd --version') is a hardcoded, benign musl detection call in the NAPI-RS loader; not user-controlled and not a security risk.	ai	2026/04/25
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require via NAPI_RS_NATIVE_LIBRARY_PATH env var is standard NAPI-RS escape hatch for custom native library paths; documented and expected behavior.	ai	2026/04/25

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.