app-builder-lib

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Spreading entire process.env into an object — may capture all secrets 356 | args = configuration.computeSignToolArgs(isWin); 357 | } > 358 | await (0, builder_util_1.retry)(() => vm.exec(tool, args, { timeout, env: { ...process.env, ...(toolInfo.env || 359 | retries: 2, 360 | interval: 15000,

Spreading entire process.env into an object — may capture all secrets 331 | const child = childProcess.spawn(command, args, { 332 | cwd, > 333 | env: { COREPACK_ENABLE_STRICT: "0", ...process.env }, // allow `process.env` overrides 334 | shell: true, // `true`` is required: https://github.com/electron-userland/electron-builder/issues/9488 335 | });

Spreading entire process.env into an object — may capture all secrets 203 | return; 204 | } > 205 | const env = { 206 | ...process.env, 207 | };

Spreading entire process.env into an object — may capture all secrets 542 | await (0, builder_util_1.spawnAndWrite)(command, args, script, { 543 | // we use NSIS_CONFIG_CONST_DATA_PATH=no to build makensis on Linux, but in any case it doesn't use stubs as > 544 | env: { ...process.env, NSISDIR: nsisPath }, 545 | cwd: nsisUtil_1.nsisTemplatesDir, 546 | });

Spreading entire process.env into an object — may capture all secrets 12 | function computeToolEnv(libPath) { 13 | // noinspection SpellCheckingInspection > 14 | return { 15 | ...process.env, 16 | DYLD_LIBRARY_PATH: computeEnv(process.env.DYLD_LIBRARY_PATH, libPath),

Spreading entire process.env into an object — may capture all secrets 41 | function getGypEnv(frameworkInfo, platform, arch, buildFromSource) { 42 | const npmConfigArch = arch === "armv7l" ? "arm" : arch; > 43 | const common = { 44 | ...process.env, 45 | npm_config_arch: npmConfigArch,

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Spreading entire process.env into an object — may capture all secrets 203 | return; 204 | } > 205 | const env = { 206 | ...process.env, 207 | };

Spreading entire process.env into an object — may capture all secrets 542 | await (0, builder_util_1.spawnAndWrite)(command, args, script, { 543 | // we use NSIS_CONFIG_CONST_DATA_PATH=no to build makensis on Linux, but in any case it doesn't use stubs as > 544 | env: { ...process.env, NSISDIR: nsisPath }, 545 | cwd: nsisUtil_1.nsisTemplatesDir, 546 | });

Spreading entire process.env into an object — may capture all secrets 12 | function computeToolEnv(libPath) { 13 | // noinspection SpellCheckingInspection > 14 | return { 15 | ...process.env, 16 | DYLD_LIBRARY_PATH: computeEnv(process.env.DYLD_LIBRARY_PATH, libPath),

Spreading entire process.env into an object — may capture all secrets 40 | function getGypEnv(frameworkInfo, platform, arch, buildFromSource) { 41 | const npmConfigArch = arch === "armv7l" ? "arm" : arch; > 42 | const common = { 43 | ...process.env, 44 | npm_config_arch: npmConfigArch,

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Spreading entire process.env into an object — may capture all secrets 203 | return; 204 | } > 205 | const env = { 206 | ...process.env, 207 | };

Spreading entire process.env into an object — may capture all secrets 542 | await (0, builder_util_1.spawnAndWrite)(command, args, script, { 543 | // we use NSIS_CONFIG_CONST_DATA_PATH=no to build makensis on Linux, but in any case it doesn't use stubs as > 544 | env: { ...process.env, NSISDIR: nsisPath }, 545 | cwd: nsisUtil_1.nsisTemplatesDir, 546 | });

Spreading entire process.env into an object — may capture all secrets 12 | function computeToolEnv(libPath) { 13 | // noinspection SpellCheckingInspection > 14 | return { 15 | ...process.env, 16 | DYLD_LIBRARY_PATH: computeEnv(process.env.DYLD_LIBRARY_PATH, libPath),

Spreading entire process.env into an object — may capture all secrets 40 | function getGypEnv(frameworkInfo, platform, arch, buildFromSource) { 41 | const npmConfigArch = arch === "armv7l" ? "arm" : arch; > 42 | const common = { 43 | ...process.env, 44 | npm_config_arch: npmConfigArch,

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

This version was published by a different npm account than previous versions on 2025-11-18. This could indicate a legitimate maintainer transition or an account compromise.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

This version was published by a different npm account than previous versions on 2025-11-15. This could indicate a legitimate maintainer transition or an account compromise.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.