convex
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:eslint-plugin-require-extensions | AI (dependencies): Well-known lint plugin, dev/lint-time only, low risk. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-require-extensions | AI (phantom-deps): Used via eslint config, not direct import; expected pattern. | ai | |
| source-diff | encoded-string-file:dist/cli.bundle.cjs | AI (source-diff): Sentry ANR worker-script base64 blob; stable across versions of this package. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): CLI envvars utility enumerating env to detect misconfigured Convex API keys — documented CLI behavior. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): All instances in test files spreading process.env for child process spawning — standard test practice for this SDK. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding base64 Convex API tokens for validation in CLI envvar helper — clearly legitimate. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All instances are 127.0.0.1 localhost references in test files for local dev server connections. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process imported only in test files (vitest) to spawn test processes — standard for SDK testing. | ai |
Versions (showing 58 of 58)
| Version | Deps | Published |
|---|---|---|
| 1.42.2 | 3 / 78 | |
| 1.42.1 | 3 / 78 | |
| 1.42.0 | 3 / 78 | |
| 1.41.0 | 3 / 78 | |
| 1.40.0 | 3 / 76 | |
| 1.39.1 | 3 / 76 | |
| 1.37.0 | 3 / 76 | |
| 1.36.1 | 3 / 76 | |
| 1.36.0 | 3 / 76 | |
| 1.35.1 | 3 / 76 | |
| 1.35.0 | 3 / 76 | |
| 1.34.1 | 3 / 76 | |
| 1.34.0 | 3 / 76 | |
| 1.32.0 | 3 / 75 | |
| 1.31.7 | 2 / 74 | |
| 1.31.6 | 2 / 74 | |
| 1.31.2 | 2 / 74 | |
| 1.31.0 | 2 / 74 | |
| 1.30.0 | 2 / 74 | |
| 1.29.3 | 2 / 74 | |
| 1.29.2 | 2 / 74 | |
| 1.29.1 | 2 / 74 | |
| 1.29.0 | 2 / 74 | |
| 1.28.2 | 2 / 74 | |
| 1.28.1 | 2 / 74 | |
| 1.27.5 | 2 / 74 | |
| 1.27.4 | 2 / 74 | |
| 1.27.3 | 3 / 81 | |
| 1.27.2 | 3 / 80 | |
| 1.27.1 | 3 / 80 | |
| 1.27.0 | 3 / 80 | |
| 1.26.2 | 3 / 80 | |
| 1.26.1 | 3 / 77 | |
| 1.26.0 | 3 / 77 | |
| 1.25.4 | 3 / 77 | |
| 1.25.2 | 3 / 77 | |
| 1.25.1 | 3 / 77 | |
| 1.25.0 | 3 / 77 | |
| 1.24.8 | 3 / 76 | |
| 1.24.7 | 3 / 76 | |
| 1.24.6 | 3 / 76 | |
| 1.24.5 | 3 / 76 | |
| 1.24.3 | 3 / 76 | |
| 1.24.2 | 3 / 76 | |
| 1.24.1 | 3 / 76 | |
| 1.24.0 | 3 / 76 | |
| 1.14.4 | 3 / 62 | |
| 1.14.3 | 3 / 62 | |
| 1.14.2 | 3 / 62 | |
| 1.14.1 | 3 / 62 | |
| 1.14.0 | 3 / 62 | |
| 1.13.2 | 5 / 61 | |
| 1.13.1 | 5 / 62 | |
| 1.13.0 | 5 / 64 | |
| 1.12.2 | 4 / 67 | |
| 1.12.1 | 4 / 67 | |
| 1.12.0 | 4 / 67 | |
| 1.11.3 | 4 / 67 |
v1.42.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nicolapps) than the most recent previously approved version (reece-convex) on 2026-07-14, but nicolapps is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.42.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (reece-convex) than the most recent previously approved version (nicolapps) on 2026-06-29, but reece-convex is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.42.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.41.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.40.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nicolapps) than the most recent previously approved version (aritrakh) on 2026-06-01, but nicolapps is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.39.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ianatconvex) than the most recent previously approved version (aritrakh) on 2026-05-15, but ianatconvex is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.37.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nicolapps) than the most recent previously approved version (aritrakh) on 2026-04-30, but nicolapps is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.36.1
7 findingsSpreading entire process.env into an object — may capture all secrets 52 | timeout: 35000, 53 | stdio: ["pipe", "pipe", "pipe"], > 54 | env: { 55 | ...process.env, 56 | FORCE_COLOR: "false",
Spreading entire process.env into an object — may capture all secrets 82 | 83 | beforeEach(() => { > 84 | savedEnv = { ...process.env }; 85 | savedIsTTY = process.stdin.isTTY; 86 | process.env = {};
Spreading entire process.env into an object — may capture all secrets 251 | 252 | beforeEach(() => { > 253 | savedEnv = { ...process.env }; 254 | savedIsTTY = process.stdin.isTTY; 255 | process.env = {};
Spreading entire process.env into an object — may capture all secrets 81 | 82 | beforeEach(() => { > 83 | savedEnv = { ...process.env }; 84 | savedIsTTY = process.stdin.isTTY; 85 | process.env = {};
Spreading entire process.env into an object — may capture all secrets 497 | } = await fetchDeploymentCanonicalUrls(ctx, deployment); 498 | > 499 | const env = { ...process.env }; 500 | env[urlVar] = canonicalCloudUrl; 501 | env[siteVar] = canonicalSiteUrl;
Spreading entire process.env into an object — may capture all secrets 134 | .spawn(args.binaryPath, commandArgs, { 135 | stdio: "ignore", > 136 | env: { 137 | ...process.env, 138 | SENTRY_DSN: SENTRY_DSN,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.34.0
3 findingsThis version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.32.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nicolapps) than the most recent previously approved version (reece-convex) on 2026-02-18, but nicolapps is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.31.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nicolapps) than the most recent previously approved version (ballingt) on 2026-01-22, but nicolapps is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.31.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (nicolapps) than the most recent previously approved version (ballingt) on 2025-12-11, but nicolapps is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.27.5
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.27.4
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.27.3
2 findingsModified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.27.2
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.27.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.27.0
3 findingsThis version was published by a different npm account than previous versions on 2025-09-09. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.2
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.25.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.25.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.14.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ballingt) than the most recent previously approved version (sshader) on 2024-08-22, but ballingt is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.14.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sshader) than the most recent previously approved version (ballingt) on 2024-08-21, but sshader is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.14.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ballingt) than the most recent previously approved version (sshader) on 2024-08-15, but ballingt is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.14.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sshader) than the most recent previously approved version (ballingt) on 2024-08-07, but sshader is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.13.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (sshader) than the most recent previously approved version (ballingt) on 2024-07-01, but sshader is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.12.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ballingt) than the most recent previously approved version (sshader) on 2024-06-20, but ballingt is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.