convex — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

cowlingjordanhuntgautamg795emmaling27nipunnaritrakhianatconvexreece-convexerquhartsethconvexjamwtnicolapps

Keywords

convexdatabasereactstateserverless

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): All instances in test files spreading process.env for child process spawning — standard test practice for this SDK.	ai	2026/04/25
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): All instances are 127.0.0.1 localhost references in test files for local dev server connections.	ai	2026/04/25
semgrep	semgrep:child-process-import	AI (semgrep): child_process imported only in test files (vitest) to spawn test processes — standard for SDK testing.	ai	2026/04/25
semgrep	semgrep:env-bulk-read	AI (semgrep): CLI envvars utility enumerating env to detect misconfigured Convex API keys — documented CLI behavior.	ai	2026/04/25
semgrep	semgrep:base64-decode	AI (semgrep): Decoding base64 Convex API tokens for validation in CLI envvar helper — clearly legitimate.	ai	2026/04/25

Versions (showing 25 of 25)

Version	Deps	Published
1.36.1	3 / 76	2026-04-24
1.36.0	3 / 76	2026-04-22
1.35.1	3 / 76	2026-04-10
1.35.0	3 / 76	2026-04-10
1.34.1	3 / 76	2026-03-27
1.30.0	2 / 74	2025-12-02
1.29.3	2 / 74	2025-11-19
1.29.2	2 / 74	2025-11-17
1.29.1	2 / 74	2025-11-14
1.29.0	2 / 74	2025-11-10
1.28.2	2 / 74	2025-11-03
1.28.1	2 / 74	2025-11-02
1.26.0	3 / 77	2025-08-22
1.25.4	3 / 77	2025-07-14
1.25.2	3 / 77	2025-06-30
1.25.1	3 / 77	2025-06-29
1.25.0	3 / 77	2025-06-24
1.24.8	3 / 76	2025-06-04
1.24.7	3 / 76	2025-06-03
1.24.6	3 / 76	2025-06-01
1.24.5	3 / 76	2025-05-31
1.24.3	3 / 76	2025-05-28
1.24.2	3 / 76	2025-05-27
1.24.1	3 / 76	2025-05-06
1.24.0	3 / 76	2025-05-02

v1.36.1

7 findings

HIGH env-spread: src/browser/sync/client_node.test.ts:54 semgrep

Spreading entire process.env into an object — may capture all secrets 52 | timeout: 35000, 53 | stdio: ["pipe", "pipe", "pipe"], > 54 | env: { 55 | ...process.env, 56 | FORCE_COLOR: "false",

HIGH env-spread: src/cli/deploymentSelect.test.ts:84 semgrep

Spreading entire process.env into an object — may capture all secrets 82 | 83 | beforeEach(() => { > 84 | savedEnv = { ...process.env }; 85 | savedIsTTY = process.stdin.isTTY; 86 | process.env = {};

HIGH env-spread: src/cli/deploymentSelection.test.ts:253 semgrep

Spreading entire process.env into an object — may capture all secrets 251 | 252 | beforeEach(() => { > 253 | savedEnv = { ...process.env }; 254 | savedIsTTY = process.stdin.isTTY; 255 | process.env = {};

HIGH env-spread: src/cli/envDefault.test.ts:83 semgrep

Spreading entire process.env into an object — may capture all secrets 81 | 82 | beforeEach(() => { > 83 | savedEnv = { ...process.env }; 84 | savedIsTTY = process.stdin.isTTY; 85 | process.env = {};

HIGH env-spread: src/cli/lib/deploy2.ts:499 semgrep

Spreading entire process.env into an object — may capture all secrets 497 | } = await fetchDeploymentCanonicalUrls(ctx, deployment); 498 | > 499 | const env = { ...process.env }; 500 | env[urlVar] = canonicalCloudUrl; 501 | env[siteVar] = canonicalSiteUrl;

HIGH env-spread: src/cli/lib/localDeployment/run.ts:136 semgrep

Spreading entire process.env into an object — may capture all secrets 134 | .spawn(args.binaryPath, commandArgs, { 135 | stdio: "ignore", > 136 | env: { 137 | ...process.env, 138 | SENTRY_DSN: SENTRY_DSN,