ng-packagr
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used solely to wrap dynamic import() for ESM loading in CJS context; input is a module path, not user-controlled arbitrary code. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Standard worker-pool env propagation in a build tool; stable pattern across versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Config/plugin loading pattern typical for build tools; stable across versions. | ai | |
| email-domain | unclaimed-email:spektrakel.de | AI (email-domain): Original author email since inception; package published via GH Actions with SLSA provenance, not via email auth. | ai |
Versions (showing 11 of 11)
| Version | Deps | Published |
|---|---|---|
| 22.0.0 | 20 / 0 | |
| 21.2.5 | 21 / 0 | |
| 21.2.3 | 21 / 0 | |
| 21.2.2 | 21 / 0 | |
| 21.2.1 | 21 / 0 | |
| 21.2.0 | 21 / 0 | |
| 21.1.0 | 21 / 0 | |
| 21.0.1 | 21 / 0 | |
| 21.0.0 | 21 / 0 | |
| 20.3.2 | 21 / 0 | |
| 20.3.1 | 21 / 0 |
v22.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.2.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.2.3
3 findingsMaintainer email '[email protected]' uses domain 'spektrakel.de' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/ng-packagr/ng-packagr/blob/93eead0d6a0be8e4780ba5284379137f2d190e8a/src/lib/styles/worker-pool.js#L30 28 | else { 29 | // Default behavior of `env` option is to copy current process values > 30 | piscinaOptions.env = { 31 | ...process.env, 32 | NODE_COMPILE_CACHE: compileCacheDirectory,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.3.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.