exifreader
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Build script spreads env to set BABEL_ENV/NODE_ENV; no exfiltration path. Stable for this package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Documented optional build step for tree-shaking; only runs when dependent has an ExifReader config file. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used only in build helper bin/build.js, not in runtime library code. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in build helper reads package.json for devDependency versions; not a runtime risk. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in utils.js is legitimate for parsing EXIF/XMP binary metadata. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 4.41.0 | 0 / 23 | |
| 4.40.4 | 0 / 23 | |
| 4.39.1 | 0 / 23 | |
| 4.39.0 | 0 / 23 | |
| 4.38.1 | 0 / 23 | |
| 4.37.1 | 0 / 23 | |
| 4.34.0 | 0 / 23 | |
| 4.33.1 | 0 / 23 | |
| 4.32.0 | 0 / 23 | |
| 4.31.2 | 0 / 23 | |
| 4.31.1 | 0 / 23 | |
| 4.31.0 | 0 / 23 | |
| 4.30.1 | 0 / 23 |
v4.41.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/mattiasw/ExifReader/blob/1874a9edb44fc0121bd894094c0aaa8569728f08/bin/build.js#L38 36 | // keeps webpack in production mode, and BABEL_ENV is only belt-and-suspenders 37 | // against a stray BABEL_ENV=test adding the test-only rewire plugin. > 38 | const env = {...process.env, BABEL_ENV: 'production', NODE_ENV: 'production'}; 39 | if (options.config) { 40 | env.EXIFREADER_CUSTOM_BUILD = JSON.stringify(options.config);
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.40.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.39.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.39.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.38.1
2 findingsScript: node bin/build.js --only-with-config
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.37.1
2 findingsScript: node bin/build.js --only-with-config
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.34.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.33.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.32.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.31.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.31.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.30.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.