datagrok-tools
Utility to upload and publish packages to Datagrok
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Playwright test runner spreading process.env to child test process is expected behavior for this CLI tool. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Resolves globally-installed npm plugins via webpack config; standard CLI tooling pattern for this package. | ai | |
| dependencies | unvetted-dep:puppeteer-screen-recorder | AI (dependencies): Screen recording dep for puppeteer-based testing; expected for this tool. | ai | |
| dependencies | unvetted-dep:archiver-promise | AI (dependencies): Stable dependency for this CLI tool across many versions; no malware indicators. | ai | |
| dependencies | unvetted-dep:node-recursive-directory | AI (dependencies): Utility dep used by this CLI tool; no malware indicators. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/visitor-keys | AI (phantom-deps): Loaded via eslint config convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/traverse | AI (phantom-deps): Framework-scoped Babel package loaded by convention; stable false positive. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established 331-version CLI tool; sparse README/keywords are cosmetic, not spam indicators. | ai | |
| phantom-deps | phantom-dep:archiver | AI (phantom-deps): archiver is declared as a dependency and used via archiver-promise wrapper; phantom detection is a false positive. | ai | |
| phantom-deps | phantom-dep:estraverse | AI (phantom-deps): estraverse used via config/convention in AST traversal tooling; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): Framework-scoped Babel package loaded by convention; stable false positive. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI build tool; child_process is expected for invoking compilers/bundlers. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decode appears only in test assertions, not in runtime code paths. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval used in test runner to execute remote test functions — documented test-utils pattern. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 6.2.6 | 22 / 21 | |
| 6.2.5 | 22 / 21 | |
| 6.2.4 | 22 / 21 | |
| 6.2.3 | 22 / 21 | |
| 6.2.2 | 22 / 21 | |
| 6.2.1 | 22 / 21 | |
| 6.2.0 | 22 / 21 | |
| 6.1.14 | 22 / 21 | |
| 6.1.13 | 23 / 21 | |
| 6.1.12 | 23 / 21 | |
| 6.1.11 | 23 / 21 | |
| 6.1.10 | 22 / 20 | |
| 6.1.9 | 22 / 19 | |
| 6.1.8 | 22 / 19 | |
| 6.1.7 | 22 / 19 | |
| 6.1.6 | 22 / 19 | |
| 6.1.5 | 22 / 19 | |
| 6.1.4 | 22 / 19 | |
| 6.1.3 | 22 / 19 | |
| 6.1.1 | 22 / 19 | |
| 6.1.0 | 22 / 19 | |
| 6.0.8 | 22 / 19 | |
| 6.0.7 | 22 / 19 | |
| 6.0.6 | 22 / 19 | |
| 6.0.5 | 22 / 19 | |
| 6.0.4 | 22 / 19 | |
| 6.0.3 | 22 / 19 | |
| 6.0.2 | 22 / 19 | |
| 6.0.1 | 22 / 19 | |
| 6.0.0 | 22 / 19 | |
| 5.1.9 | 22 / 19 | |
| 5.1.8 | 22 / 19 | |
| 5.1.7 | 22 / 19 | |
| 5.1.6 | 22 / 19 | |
| 5.1.5 | 22 / 19 | |
| 5.1.4 | 22 / 19 | |
| 5.1.3 | 22 / 19 | |
| 5.1.2 | 22 / 19 | |
| 5.1.1 | 22 / 19 | |
| 5.0.0 | 22 / 19 | |
| 4.14.73 | 23 / 19 | |
| 4.14.72 | 22 / 20 | |
| 4.14.71 | 22 / 20 | |
| 4.14.70 | 22 / 20 | |
| 4.14.69 | 22 / 19 | |
| 4.14.68 | 22 / 19 | |
| 4.14.67 | 22 / 19 |
v6.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.5
2 findingsSpreading entire process.env into an object — may capture all secrets 159 | } 160 | if (testDirFinal !== testDir) cliArgs.push(testDirFinal); > 161 | const env = { 162 | ...process.env, 163 | DATAGROK_URL: webUrl,
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.4
2 findingsSpreading entire process.env into an object — may capture all secrets 159 | } 160 | if (testDirFinal !== testDir) cliArgs.push(testDirFinal); > 161 | const env = { 162 | ...process.env, 163 | DATAGROK_URL: webUrl,
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.3
2 findingsSpreading entire process.env into an object — may capture all secrets 159 | } 160 | if (testDirFinal !== testDir) cliArgs.push(testDirFinal); > 161 | const env = { 162 | ...process.env, 163 | DATAGROK_URL: webUrl,
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.2
2 findingsSpreading entire process.env into an object — may capture all secrets 159 | } 160 | if (testDirFinal !== testDir) cliArgs.push(testDirFinal); > 161 | const env = { 162 | ...process.env, 163 | DATAGROK_URL: webUrl,
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.1
2 findingsSpreading entire process.env into an object — may capture all secrets 159 | } 160 | if (testDirFinal !== testDir) cliArgs.push(testDirFinal); > 161 | const env = { 162 | ...process.env, 163 | DATAGROK_URL: webUrl,
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
2 findingsSpreading entire process.env into an object — may capture all secrets 155 | } 156 | if (testDirFinal !== testDir) cliArgs.push(testDirFinal); > 157 | const env = { 158 | ...process.env, 159 | DATAGROK_URL: webUrl,
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.14.73
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.14.72
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.14.71
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.14.70
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.14.69
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.14.68
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.14.67
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.