nodemon MIT 5 versions

nodemon

npm Repository Homepage

Simple monitor script for use during development of a Node.js app.

5

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

remy

Keywords

climonitormonitordevelopmentrestartautoloadreloadterminal

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): nodemon's postinstall configures user preferences via configstore; legitimate and documented for this development tool.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads package.json for version info; standard pattern in postinstall configuration.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process is core to nodemon's functionality of spawning and monitoring processes; expected and necessary.	ai	2026/04/23
phantom-deps	phantom-dep:touch	AI (phantom-deps): touch is a declared runtime dependency used in nodemon's functionality; false positive.	ai	2026/04/23

Versions (showing 5 of 5)

Version	Deps	Published
2.0.7	10 / 11	2021-01-06
2.0.6	10 / 11	2020-10-19
2.0.3	10 / 11	2020-04-08
2.0.1	10 / 11	2019-11-22
2.0.0	10 / 11	2019-11-20

v2.0.7

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall || exit 0

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.6

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall || exit 0

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.3

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall || exit 0

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall || exit 0

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node bin/postinstall || exit 0

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.