homebridge No license 7 versions

homebridge

npm Repository Homepage

7

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

oznunorthernmansuperegkhaostebaauwdustin.greifnfarinabwp91

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:child-process-import	AI (semgrep): Homebridge spawns child bridge processes by design; child_process use is core functionality.	ai	2026/04/29
semgrep	semgrep:dynamic-require	AI (semgrep): Plugin loader must dynamically require/import user-installed plugins; this is the documented plugin architecture.	ai	2026/04/29
semgrep	semgrep:new-function-constructor	AI (semgrep): Documented TypeScript/Node ESM interop workaround (linked issue in code); not user-controlled input.	ai	2026/04/29
semgrep	semgrep:env-spread	AI (semgrep): Spreading process.env into child bridge subprocess env is intentional and expected for a process manager.	ai	2026/04/29

Versions (showing 7 of 7)

Version	Deps	Published
2.1.0	8 / 15	2026-06-04
2.0.2	8 / 15	2026-05-09
2.0.1	8 / 15	2026-05-05
2.0.0	8 / 15	2026-05-04
1.11.4	7 / 19	2026-03-29
1.11.3	7 / 19	2026-03-21
1.11.2	7 / 19	2026-02-08

v2.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.11.4

2 findings

HIGH env-spread: lib/childBridgeService.js:258 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/homebridge/homebridge/blob/7df9f1bfe577615a31e6baa2542ddc3a72f2e07f/lib/childBridgeService.js#L258 256 | setProcessEnv() { 257 | this.processEnv = { > 258 | env: { 259 | ...process.env, 260 | DEBUG: `${process.env.DEBUG || ""} ${this.bridgeConfig.env?.DEBUG || ""}`.trim(),

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.11.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.11.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.