jsr
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:jest | AI (typosquat): jsr is the official jsr.io package manager; not a typosquat of jest. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): jsr is the official jsr.io package manager; not a typosquat of qs. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): jsr is the official jsr.io package manager; not a typosquat of joi. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): env spread is used to pass environment to a child publish process; standard CLI pattern, not exfiltration. | ai |
v0.14.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/jsr-io/jsr-npm/blob/9e797fbf742ca1dd741be76369a626b8ebfb2ab5/dist-esm/commands.js#L175 173 | "publish", 174 | ]; > 175 | const env = { ...process.env }; 176 | // These commands should only be added for a node project, 177 | // not a Deno project.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/jsr-io/jsr-npm/blob/06f56094b93a3a0a6e47d9b71d4d2b8c89b4aa48/dist-esm/commands.js#L175 173 | "publish", 174 | ]; > 175 | const env = { ...process.env }; 176 | // These commands should only be added for a node project, 177 | // not a Deno project.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.