knex
11
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
tgriesserwubzzelhigukibertoadolivier.cavadenti
Keywords
sqlquerypostgresqlpostgresmysqlcockroachdbsqlite3oraclemssqlbuilderquerybuilderbuilddbdatabase
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in scripts/build.js, a build-time script not executed at install or runtime. Standard for a complex build tool like knex. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): child_process.exec is in scripts/build.js for build orchestration only. Not reachable by consumers at runtime or install time. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): knex CLI uses dynamic require to load the project-local knex installation — a standard, documented pattern for CLI tools. Stable across all versions. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Buffer.from(uuid, 'hex') is a standard UUID-to-binary conversion for MySQL storage. Legitimate utility function, not obfuscation. | ai | |
| dependencies | unvetted-dep:getopts | AI (dependencies): getopts is a small, stable CLI argument parser that has been a long-standing dependency of knex. No security concerns. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 3.2.10 | 14 / 44 | |
| 3.2.9 | 14 / 44 | |
| 3.2.8 | 14 / 44 | |
| 3.2.7 | 14 / 45 | |
| 3.2.6 | 14 / 45 | |
| 3.2.5 | 14 / 45 | |
| 3.2.4 | 14 / 44 | |
| 3.2.3 | 14 / 44 | |
| 3.2.2 | 14 / 44 | |
| 3.2.1 | 14 / 43 | |
| 3.2.0 | 14 / 42 |
v3.2.10
3 findings
HIGH
Missing gitHead — previous versions had it
provenance
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
HIGH
Publisher changed: tgriesser → GitHub Actions (on 2026-05-02)
provenance
This version was published by a different npm account than previous versions on 2026-05-02. This could indicate a legitimate maintainer transition or an account compromise.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.