dmg-builder
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:builder-util-runtime | AI (phantom-deps): builder-util-runtime is a declared dependency used transitively; phantom-dep heuristic is a false positive here. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into subprocess exec call is standard build-tool practice; not a secret-exfiltration risk here. | ai | |
| bogus-package | bogus-package | AI (bogus-package): dmg-builder is a well-known electron-builder monorepo package; sparse README/keywords are expected for internal tooling. | ai |
Versions (showing 25 of 25)
| Version | Deps | Published |
|---|---|---|
| 26.15.3 | 4 / 3 | |
| 26.15.2 | 4 / 3 | |
| 26.15.1 | 4 / 3 | |
| 26.15.0 | 4 / 3 | |
| 26.14.0 | 4 / 3 | |
| 26.13.1 | 5 / 3 | |
| 26.13.0 | 5 / 3 | |
| 26.12.1 | 5 / 3 | |
| 26.12.0 | 5 / 3 | |
| 26.11.1 | 5 / 3 | |
| 26.11.0 | 5 / 3 | |
| 26.10.0 | 5 / 3 | |
| 26.9.1 | 5 / 3 | |
| 26.9.0 | 5 / 3 | |
| 26.8.2 | 5 / 3 | |
| 26.8.1 | 5 / 3 | |
| 26.3.4 | 5 / 3 | |
| 26.3.3 | 5 / 3 | |
| 26.2.0 | 5 / 3 | |
| 26.1.0 | 5 / 3 | |
| 26.0.20 | 5 / 3 | |
| 26.0.19 | 5 / 3 | |
| 26.0.18 | 5 / 3 | |
| 26.0.17 | 6 / 3 | |
| 26.0.16 | 6 / 3 |
v26.15.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.15.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.9.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.8.1
2 findingsSpreading entire process.env into an object — may capture all secrets 170 | const dmgbuild = await getDmgVendorPath(); 171 | await (0, builder_util_1.exec)(dmgbuild, ["-s", settingsFile, path.basename(volumePath), artifactPath], { > 172 | env: { 173 | ...process.env, 174 | PYTHONIOENCODING: "utf8",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.3.4
2 findingsSpreading entire process.env into an object — may capture all secrets 149 | await (0, builder_util_1.exec)(pythonPath.trim(), [path.join(vendorDir, "run_dmgbuild.py"), "-s", settingsFile, path 150 | cwd: vendorDir, > 151 | env: { 152 | ...process.env, 153 | PYTHONIOENCODING: "utf8",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.3.3
2 findingsSpreading entire process.env into an object — may capture all secrets 149 | await (0, builder_util_1.exec)(pythonPath.trim(), [path.join(vendorDir, "run_dmgbuild.py"), "-s", settingsFile, path 150 | cwd: vendorDir, > 151 | env: { 152 | ...process.env, 153 | PYTHONIOENCODING: "utf8",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.2.0
2 findingsSpreading entire process.env into an object — may capture all secrets 147 | await (0, builder_util_1.exec)(pythonPath, [path.join(getDmgVendorPath(), "run_dmgbuild.py"), "-s", settingsFile 148 | cwd: getDmgVendorPath(), > 149 | env: { 150 | ...process.env, 151 | PYTHONIOENCODING: "utf8",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v26.1.0
2 findingsSpreading entire process.env into an object — may capture all secrets 147 | await (0, builder_util_1.exec)(pythonPath, [path.join(getDmgVendorPath(), "run_dmgbuild.py"), "-s", settingsFile 148 | cwd: getDmgVendorPath(), > 149 | env: { 150 | ...process.env, 151 | PYTHONIOENCODING: "utf8",
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.0.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v26.0.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.0.17
2 findingsSpreading entire process.env into an object — may capture all secrets 212 | const isValidIconTextSize = !!specification.iconTextSize && specification.iconTextSize >= 10 && specification.iconTe 213 | const iconTextSize = isValidIconTextSize ? specification.iconTextSize : 12; > 214 | const env = { 215 | ...process.env, 216 | volumePath,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v26.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.