← Home

fabric

npm Repository Homepage
2
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

kangaxasturur

Keywords

canvasgraphicgraphicsSVGnode-canvasparserHTML5object model

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:env-spread AI (semgrep): env-spread is in build.mjs (dev tooling), not runtime code; standard pattern for passing env to child processes. ai
semgrep semgrep:child-process-import AI (semgrep): child_process usage is in publish-next.js (dev/CI tooling), not in the distributed library runtime. ai

Versions (showing 2 of 2)

Version Deps Published
7.4.0 0 / 25
7.3.1 0 / 25

v7.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.3.1

2 findings
HIGH env-spread: scripts/build.mjs:42 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/fabricjs/fabric.js/blob/b305406837c50b5638ce32c7558fc83e9c8c4159/scripts/build.mjs#L42 40 | shell: true, 41 | cwd: wd, > 42 | env: { 43 | ...process.env, 44 | MINIFY: Number(!fast),

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.