node-av
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Runs local dist/ffmpeg/install.js to set up FFmpeg binaries; standard native binding install pattern. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Runs local install/check.js to verify native deps; standard native binding check pattern. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreads process.env into spawnSync to inherit environment while adding PKG_CONFIG_PATH; benign build-tool pattern. | ai |
v5.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.2.3
4 findingsScript: node dist/ffmpeg/install.js
Script: node install/check.js
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/seydx/node-av/blob/5051d1157c54ae54049ce658a56cb108afb32080/install/ffmpeg.js#L53 51 | spawnSync('pkg-config --modversion libavcodec', { 52 | ...spawnSyncOptions, > 53 | env: { 54 | ...process.env, 55 | PKG_CONFIG_PATH: pkgConfigPath(),
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.