nx
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:bl | AI (phantom-deps): nx bundles transitive deps; phantom-dep false positives are structural for this package. | ai | |
| phantom-deps | phantom-dep:isexe | AI (phantom-deps): Newly added legitimate dep; phantom-dep heuristic fires due to bundling pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Core functionality of a task orchestration CLI. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): CLI resolution of local workspace nx install; standard pattern. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): Used for platform detection (musl check); standard native-binding pattern. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Webpack-bundled runtime graph module; standard build output. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): WASI browser binding fetching its own wasm file. | ai | |
| semgrep | semgrep:http-module-request | AI (semgrep): Nx Cloud integration API calls; documented feature. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Parsing SLSA provenance DSSE envelope; expected base64 usage. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Task runner passes env to child processes; expected for a build orchestrator. | ai | |
| typosquat | typosquat.levenshtein:knex | AI (typosquat): nx is a well-established brand; not a typosquat of knex. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): nx is a well-established brand; not a typosquat of pg. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): nx is a well-established brand; not a typosquat of qs. | ai | |
| typosquat | typosquat.levenshtein:next | AI (typosquat): nx is a well-established brand; not a typosquat of next. | ai | |
| typosquat | typosquat.levenshtein:nuxt | AI (typosquat): nx is a well-established brand; not a typosquat of nuxt. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Silent try/catch requiring a local dist file; no network access or arbitrary code execution. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 23.0.0 | 111 / 0 | |
| 22.7.1 | 110 / 0 | |
| 22.6.5 | 36 / 0 | |
| 22.6.4 | 36 / 0 | |
| 22.4.5 | 35 / 0 | |
| 21.6.11 | 35 / 0 |
v23.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v22.6.5
15 findingsSpreading entire process.env into an object — may capture all secrets 30 | (0, child_process_1.execSync)(command, { 31 | stdio: 'inherit', > 32 | env: { 33 | ...process.env, 34 | NX_PROJECT_NAME: process.env.NX_TASK_TARGET_PROJECT,
Spreading entire process.env into an object — may capture all secrets 60 | (0, child_process_1.execSync)(command, { 61 | stdio: 'inherit', > 62 | env: { 63 | ...process.env, 64 | NX_PROJECT_NAME: projectGraph.nodes?.[projectName]?.name,
Spreading entire process.env into an object — may capture all secrets 703 | await execAsync(`${pmc.add} ${packageName}@${packageVersion}`, { 704 | cwd: dir, > 705 | env: { 706 | ...process.env, 707 | npm_config_legacy_peer_deps: 'true',
Spreading entire process.env into an object — may capture all secrets 1120 | (0, child_process_2.runNxSync)(`migrate ${args.join(' ')}`, { 1121 | stdio: ['inherit', 'inherit', 'inherit'], > 1122 | env: { 1123 | ...process.env, 1124 | NX_MIGRATE_SKIP_INSTALL: 'true',
Spreading entire process.env into an object — may capture all secrets 339 | console.log(preVersionCommand); 340 | } > 341 | let env = { 342 | ...process.env, 343 | };
Spreading entire process.env into an object — may capture all secrets 62 | const helpCommand = `${command} --help`; 63 | const localEnv = (0, npm_run_path_1.env)(); > 64 | const env = { 65 | ...process.env, 66 | ...localEnv,
Spreading entire process.env into an object — may capture all secrets 94 | shell: true, 95 | cwd: process.cwd(), > 96 | env: { 97 | ...process.env, 98 | [this.projectNameEnv]: env[this.projectNameEnv],
Spreading entire process.env into an object — may capture all secrets 947 | windowsHide: true, 948 | shell: false, > 949 | env: { 950 | ...DAEMON_ENV_OVERRIDABLE_SETTINGS, 951 | ...process.env,
Spreading entire process.env into an object — may capture all secrets 421 | function processEnv(color, cwd, envOptionFromExecutor, envFile) { 422 | let localEnv = (0, npm_run_path_1.env)({ cwd: cwd ?? process.cwd() }); > 423 | localEnv = { 424 | ...process.env, 425 | ...localEnv,
Spreading entire process.env into an object — may capture all secrets 325 | const isWorkerTypescript = path.extname(__filename) === '.ts'; 326 | const workerPath = path.join(__dirname, 'plugin-worker'); > 327 | const env = { 328 | ...process.env, 329 | ...(isWorkerTypescript
Spreading entire process.env into an object — may capture all secrets 13 | const task_env_paths_1 = require("./task-env-paths"); 14 | function getEnvVariablesForBatchProcess(skipNxCache, captureStderr) { > 15 | return { 16 | // User Process Env Variables override Dotenv Variables 17 | ...process.env,
Spreading entire process.env into an object — may capture all secrets 22 | function getTaskSpecificEnv(task, graph) { 23 | // Unload any dot env files at the root of the workspace that were loaded on init of Nx. > 24 | const taskEnv = unloadDotEnvFiles({ ...process.env }); 25 | return process.env.NX_LOAD_DOT_ENV_FILES === 'true' 26 | ? loadDotEnvFilesForTask(task, graph, taskEnv)
Spreading entire process.env into an object — may capture all secrets 146 | cwd: this.root, 147 | maxBuffer: 10 * 1024 * 1024, > 148 | env: { 149 | ...process.env, 150 | ...env,
Spreading entire process.env into an object — may capture all secrets 238 | // Yarn Berry requires an environment variable (not a CLI flag) to disable lifecycle scripts. 239 | // Apply this defensively for all package managers when pulling nx@latest to tmp. > 240 | env: { 241 | ...process.env, 242 | YARN_ENABLE_SCRIPTS: 'false',
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v22.6.4
14 findingsSpreading entire process.env into an object — may capture all secrets 30 | (0, child_process_1.execSync)(command, { 31 | stdio: 'inherit', > 32 | env: { 33 | ...process.env, 34 | NX_PROJECT_NAME: process.env.NX_TASK_TARGET_PROJECT,
Spreading entire process.env into an object — may capture all secrets 60 | (0, child_process_1.execSync)(command, { 61 | stdio: 'inherit', > 62 | env: { 63 | ...process.env, 64 | NX_PROJECT_NAME: projectGraph.nodes?.[projectName]?.name,
Spreading entire process.env into an object — may capture all secrets 703 | await execAsync(`${pmc.add} ${packageName}@${packageVersion}`, { 704 | cwd: dir, > 705 | env: { 706 | ...process.env, 707 | npm_config_legacy_peer_deps: 'true',
Spreading entire process.env into an object — may capture all secrets 1120 | (0, child_process_2.runNxSync)(`migrate ${args.join(' ')}`, { 1121 | stdio: ['inherit', 'inherit', 'inherit'], > 1122 | env: { 1123 | ...process.env, 1124 | NX_MIGRATE_SKIP_INSTALL: 'true',
Spreading entire process.env into an object — may capture all secrets 339 | console.log(preVersionCommand); 340 | } > 341 | let env = { 342 | ...process.env, 343 | };
Spreading entire process.env into an object — may capture all secrets 62 | const helpCommand = `${command} --help`; 63 | const localEnv = (0, npm_run_path_1.env)(); > 64 | const env = { 65 | ...process.env, 66 | ...localEnv,
Spreading entire process.env into an object — may capture all secrets 94 | shell: true, 95 | cwd: process.cwd(), > 96 | env: { 97 | ...process.env, 98 | [this.projectNameEnv]: env[this.projectNameEnv],
Spreading entire process.env into an object — may capture all secrets 941 | windowsHide: true, 942 | shell: false, > 943 | env: { 944 | ...DAEMON_ENV_OVERRIDABLE_SETTINGS, 945 | ...process.env,
Spreading entire process.env into an object — may capture all secrets 421 | function processEnv(color, cwd, envOptionFromExecutor, envFile) { 422 | let localEnv = (0, npm_run_path_1.env)({ cwd: cwd ?? process.cwd() }); > 423 | localEnv = { 424 | ...process.env, 425 | ...localEnv,
Spreading entire process.env into an object — may capture all secrets 319 | const isWorkerTypescript = path.extname(__filename) === '.ts'; 320 | const workerPath = path.join(__dirname, 'plugin-worker'); > 321 | const env = { 322 | ...process.env, 323 | ...(isWorkerTypescript
Spreading entire process.env into an object — may capture all secrets 13 | const task_env_paths_1 = require("./task-env-paths"); 14 | function getEnvVariablesForBatchProcess(skipNxCache, captureStderr) { > 15 | return { 16 | // User Process Env Variables override Dotenv Variables 17 | ...process.env,
Spreading entire process.env into an object — may capture all secrets 22 | function getTaskSpecificEnv(task, graph) { 23 | // Unload any dot env files at the root of the workspace that were loaded on init of Nx. > 24 | const taskEnv = unloadDotEnvFiles({ ...process.env }); 25 | return process.env.NX_LOAD_DOT_ENV_FILES === 'true' 26 | ? loadDotEnvFilesForTask(task, graph, taskEnv)
Spreading entire process.env into an object — may capture all secrets 146 | cwd: this.root, 147 | maxBuffer: 10 * 1024 * 1024, > 148 | env: { 149 | ...process.env, 150 | ...env,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.6.11
14 findingsSpreading entire process.env into an object — may capture all secrets 30 | (0, child_process_1.execSync)(command, { 31 | stdio: 'inherit', > 32 | env: { 33 | ...process.env, 34 | NX_PROJECT_NAME: process.env.NX_TASK_TARGET_PROJECT,
Spreading entire process.env into an object — may capture all secrets 60 | (0, child_process_1.execSync)(command, { 61 | stdio: 'inherit', > 62 | env: { 63 | ...process.env, 64 | NX_PROJECT_NAME: projectGraph.nodes?.[projectName]?.name,
Spreading entire process.env into an object — may capture all secrets 1068 | (0, child_process_2.runNxSync)(`migrate ${args.join(' ')}`, { 1069 | stdio: ['inherit', 'inherit', 'inherit'], > 1070 | env: { 1071 | ...process.env, 1072 | NX_MIGRATE_SKIP_INSTALL: 'true',
Spreading entire process.env into an object — may capture all secrets 414 | console.log(preVersionCommand); 415 | } > 416 | let env = { 417 | ...process.env, 418 | };
Spreading entire process.env into an object — may capture all secrets 315 | console.log(preVersionCommand); 316 | } > 317 | let env = { 318 | ...process.env, 319 | };
Spreading entire process.env into an object — may capture all secrets 62 | const helpCommand = `${command} --help`; 63 | const localEnv = (0, npm_run_path_1.env)(); > 64 | const env = { 65 | ...process.env, 66 | ...localEnv,
Spreading entire process.env into an object — may capture all secrets 93 | shell: true, 94 | cwd: process.cwd(), > 95 | env: { 96 | ...process.env, 97 | [this.projectNameEnv]: env[this.projectNameEnv],
Spreading entire process.env into an object — may capture all secrets 514 | windowsHide: false, 515 | shell: false, > 516 | env: { 517 | ...process.env, 518 | ...DAEMON_ENV_SETTINGS,
Spreading entire process.env into an object — may capture all secrets 393 | function processEnv(color, cwd, envOptionFromExecutor, envFile) { 394 | let localEnv = (0, npm_run_path_1.env)({ cwd: cwd ?? process.cwd() }); > 395 | localEnv = { 396 | ...process.env, 397 | ...localEnv,
Spreading entire process.env into an object — may capture all secrets 249 | const isWorkerTypescript = path.extname(__filename) === '.ts'; 250 | const workerPath = path.join(__dirname, 'plugin-worker'); > 251 | const env = { 252 | ...process.env, 253 | ...(isWorkerTypescript
Spreading entire process.env into an object — may capture all secrets 11 | const node_path_1 = require("node:path"); 12 | function getEnvVariablesForBatchProcess(skipNxCache, captureStderr) { > 13 | return { 14 | // User Process Env Variables override Dotenv Variables 15 | ...process.env,
Spreading entire process.env into an object — may capture all secrets 20 | function getTaskSpecificEnv(task) { 21 | // Unload any dot env files at the root of the workspace that were loaded on init of Nx. > 22 | const taskEnv = unloadDotEnvFiles({ ...process.env }); 23 | return process.env.NX_LOAD_DOT_ENV_FILES === 'true' 24 | ? loadDotEnvFilesForTask(task, taskEnv)
Spreading entire process.env into an object — may capture all secrets 146 | cwd: this.root, 147 | maxBuffer: 10 * 1024 * 1024, > 148 | env: { 149 | ...process.env, 150 | ...env,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.